EP3381003A1 - System for and method of authenticating a user on a device - Google Patents

System for and method of authenticating a user on a device

Info

Publication number
EP3381003A1
EP3381003A1 EP16881348.3A EP16881348A EP3381003A1 EP 3381003 A1 EP3381003 A1 EP 3381003A1 EP 16881348 A EP16881348 A EP 16881348A EP 3381003 A1 EP3381003 A1 EP 3381003A1
Authority
EP
European Patent Office
Prior art keywords
processor
secure element
touch screen
correspondence table
screen controller
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP16881348.3A
Other languages
German (de)
French (fr)
Other versions
EP3381003B1 (en
EP3381003A4 (en
Inventor
Julien OLLIVIER
Vincent ALIMI
Sébastien FONTAINE
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mobeewave Systems ULC
Original Assignee
Mobeewave Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=59225789&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=EP3381003(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Mobeewave Inc filed Critical Mobeewave Inc
Priority to PL16881348T priority Critical patent/PL3381003T3/en
Publication of EP3381003A1 publication Critical patent/EP3381003A1/en
Publication of EP3381003A4 publication Critical patent/EP3381003A4/en
Application granted granted Critical
Publication of EP3381003B1 publication Critical patent/EP3381003B1/en
Revoked legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G09EDUCATION; CRYPTOGRAPHY; DISPLAY; ADVERTISING; SEALS
    • G09CCIPHERING OR DECIPHERING APPARATUS FOR CRYPTOGRAPHIC OR OTHER PURPOSES INVOLVING THE NEED FOR SECRECY
    • G09C5/00Ciphering apparatus or methods not provided for in the preceding groups, e.g. involving the concealment or deformation of graphic data such as designs, written or printed messages
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/36User authentication by graphic or iconic representation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/82Protecting input, output or interconnection devices
    • G06F21/83Protecting input, output or interconnection devices input devices, e.g. keyboards, mice or controllers thereof
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/30Payment architectures, schemes or protocols characterised by the use of specific devices or networks
    • G06Q20/32Payment architectures, schemes or protocols characterised by the use of specific devices or networks using wireless devices
    • G06Q20/322Aspects of commerce using mobile devices [M-devices]
    • G06Q20/3227Aspects of commerce using mobile devices [M-devices] using secure elements embedded in M-devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/0873Details of the card reader
    • G07F7/088Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself
    • G07F7/0886Details of the card reader the card reader being part of the point of sale [POS] terminal or electronic cash register [ECR] itself the card reader being portable for interacting with a POS or ECR in realizing a payment transaction
    • GPHYSICS
    • G07CHECKING-DEVICES
    • G07FCOIN-FREED OR LIKE APPARATUS
    • G07F7/00Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus
    • G07F7/08Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means
    • G07F7/10Mechanisms actuated by objects other than coins to free or to actuate vending, hiring, coin or paper currency dispensing or refunding apparatus by coded identity card or credit card or other personal identification means together with a coded signal, e.g. in the form of personal identification information, like personal identification number [PIN] or biometric data
    • G07F7/1025Identification of user by a PIN code
    • G07F7/1033Details of the PIN pad
    • G07F7/1041PIN input keyboard gets new key allocation at each use
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present technology relates to systems and methods for authenticating a user on mobile devices.
  • the system and method may be used in the context of conducting transactions on a mobile device, more particularly secured financial transactions.
  • Payment terminals also known as point of sale (POS) terminals, are well established in the art. They are used for electronic funds transfers between retailers and customers where transactions are conducted by swiping, inserting or tapping payment cards with a POS terminal. Some POS terminals support only magnetic stripe technology (swiping), while other terminals additionally or exclusively support so-called chip cards or smart cards, which comprise a microprocessor chip embedded in the card. This chip provides a high level of security against both logical and physical attacks aiming to clone the card or compromise sensitive information stored within it.
  • POS terminals also known as point of sale (POS) terminals. They are used for electronic funds transfers between retailers and customers where transactions are conducted by swiping, inserting or tapping payment cards with a POS terminal. Some POS terminals support only magnetic stripe technology (swiping), while other terminals additionally or exclusively support so-called chip cards or smart cards, which comprise a microprocessor chip embedded in the card. This chip provides a high level of security against both logical and physical attacks
  • Mobile payment systems and digital wallets such as Apple Pay®, Android Pay® and Samsung Pay® allow customers to store their credit card information on their mobile devices and use their devices to make payments via near field communication (NFC) or radio-frequency identification (RFID) on adapted contactless point of sale terminals.
  • NFC near field communication
  • RFID radio-frequency identification
  • mobile devices may not have the required security standards to be used as payment terminals, are not accepted everywhere and thus do not completely eliminate the need for dedicated payment terminals.
  • PIN Personal Identification Number
  • PED PIN Entry Device
  • ISO 9564 Payment Card Industry (PCI) - PIN Transaction Security (PTS)
  • PCI Payment Card Industry
  • PTS PIN Transaction Security
  • other applicable PCI standards which have been developed for PIN security and management in retail banking, the standards comprising requirements for PIN length, selection, issuance, delivery, encryption algorithms, storage, transmission, secure entry and requirements for offline PIN handling in ATM and POS systems.
  • PICC personal identification code
  • Embodiments of the present technology have been developed based on inventors' appreciation that known approaches for secured PIN entry may, in some instances, not be relied upon to conduct secured financial transactions compliant with financial industry standards on mobile devices. Improvements are therefore desirable, in particular improvements aimed at assuring that a PIC is stored either in a secure environment or in encrypted form in a non-secure environment and therefore not accessible to untrusted software running on the main processor.
  • the method and system comprises generating a correspondence table, a hot spots layout and a visual representation of a scrambled keypad, transmitting, to the secure element, the correspondence table, transmitting, to the display controller, the visual representation of the scrambled keypad, transmitting, to the touch screen controller, the hot spots layout, causing to display, by the display controller, the visual representation of the scrambled keypad on the display screen, detecting, by the touch screen controller, a touch event input from a user on the touchpad, generating, by the touch screen controller, a keying event based on the touch event input and the hot spots layout, encrypting, by the touch screen controller, the keying event, transmitting, to the secure element, the encrypted keying event, decrypting, by the secure element, the encrypted keying event and reconstituting, by the secure element, a personal identification code (PIC) associated with the user based on the keying event and the correspondence table.
  • PIC personal identification code
  • another aspect of the subject matter described in the specification can be embodied in a method and system that further comprises, after encrypting the correspondence table, decrypting, by the secure element, the correspondence table.
  • another aspect of the subject matter described in the specification can be embodied in a method and system wherein an unencrypted version of the PIC remains inaccessible to any one of the processor, the display controller, the touch screen controller and the isolated secured area of the processor, at any given time.
  • another aspect of the subject matter described in the specification can be embodied in a method and system wherein an unencrypted version of the PIC is solely accessible by the secure element.
  • another aspect of the subject matter described in the specification can be embodied in a method and system wherein the touch screen controller does not have access to the correspondence table nor to the visual representation of the scrambled keypad, at any given time.
  • another aspect of the subject matter described in the specification can be embodied in a method and system wherein the secure element is securely connected to the processor.
  • another aspect of the subject matter described in the specification can be embodied in a method and system wherein the method further comprises re- scrambling at least a portion of the visual representation of the scrambled keypad by generating a correspondence table after a keying event occurs.
  • the method further comprises re- scrambling at least a portion of the visual representation of the scrambled keypad by generating a correspondence table after a keying event occurs.
  • another aspect of the subject matter described in the specification can be embodied in a method and system wherein multiple correspondence tables, hot spots layouts and visual representations of scrambled keypads are generated before a touch event occurs.
  • the visual representation of the scrambled keypad is at least one of an image, a video stream and a visual representation of a keypad.
  • the secure element is at least one of a hardware element operatively connected to the processor, a software component run by the processor, the isolated secured area and a portion of the isolated secured area.
  • Another aspect of the subject matter described in the specification can be embodied in a method and system wherein generating the correspondence table, the hot spots layout and the visual representation of the scrambled keypad is executed by one of the isolated secured area of the processor and the secure element.
  • another aspect of the subject matter described in the specification can be embodied in a method and system wherein reconstituting the PIC associated with the user comprises mapping the keying events on the correspondence table.
  • various implementations of the present technology provide a non-transitory computer-readable medium storing program instructions for conducting secured PIC entry on a device, the program instructions being executable by a processor of a computer-based system to carry out one or more of the above -recited methods.
  • various implementations of the present technology provide a computer-based system, such as, for example, but without being limitative, a device comprising at least one processor and a memory storing program instructions for conducting secured PIC entry on a device, the program instructions being executable by one or more processors of the computer-based system to carry out one or more of the above -recited methods.
  • FIG. 1 is an illustration of the components and features of the device in accordance with an embodiment of the present technology
  • FIG 2a is an illustration of a possible correspondence table in accordance with an embodiment of the present technology
  • FIG 2b is an illustration of a possible hot spots layout in accordance with an embodiment of the present technology
  • FIG 2c is an illustration of a possible arrangement of a scrambled keypad in accordance with an embodiment of the present technology
  • FIG. 3 is an illustration of a possible personal identification code (PIC) authentication screen in accordance with an embodiment of the present technology
  • FIG. 4 is a flowchart representation of a communication flow between a processor, a display controller, a touch screen controller and a secure element in accordance with an embodiment of the present technology.
  • FIG. 5 is an illustration of a method carried out in accordance with non-limiting embodiments of the present technology.
  • secure transactions for example, but without being limitative, contact and contactless transactions
  • secure elements for example, but without being limitative, chipset, secured chipset, hardware embedding secured component, software embedding secured component, or firmware embedding secured component
  • security standards include, without being limitative, certification standards from Europay, MasterCard, and Visa (EMV), EMVCo, MasterCard®, Visa®, American Express®, JCB®, Discover® and from the PCI SSC (Payment Card Industry Security Standards Council), founded by MasterCard®, Visa®, American Express®, Discover® and JCB® and dealing specifically with the definition of security standards for financial transactions.
  • EMV Europay, MasterCard, and Visa
  • PCI SSC Payment Card Industry Security Standards Council
  • SoC system on chip
  • a typical SoC may include but is not limited to one or more general- purpose microprocessors or Central Processing Units (CPUs), co-processors such as a digital signal processor (DSP), a Graphics Processing Unit (GPU), and multimedia coprocessors such as MPEG and JPEG encoders and decoders.
  • the SoC may also include modems for various wireless communications interfaces including cellular (e.g. LTE/4G, 3G, GSM, CDMA, etc.), Bluetooth, and Wireless Fidelity (Wi-Fi) (IEEE 802.11).
  • the SoC may include memory controllers for interfacing with on-die or external DRAM memory chips, and on-die memory blocks including a selection of ROM, SRAM, DRAM, EEPROM and flash memory.
  • the SoC may additionally include timing sources, peripherals including counter-timers, real-time timers and power-on reset generators, debug, JTAG and Design For Test (DFT) interfaces, external interfaces, analog interfaces, voltage regulators, power management circuits, etc.
  • DFT Design For Test
  • the SoC may also include connectivity components such as simple buses or on-chip networks following the ARM Advanced Microcontroller Bus Architecture (AMBA) specification connecting these blocks together as known in the art.
  • AMBA ARM Advanced Microcontroller Bus Architecture
  • Some blocks may be packaged separately and stacked on the top of the SoC, a design known in the art as Package-on-package (PoP).
  • PoP Package-on-package
  • some blocks may be comprised in distinct integrated circuits (or dies) but packaged together, a design known in the art as a System in Package (SiP).
  • SiP System in Package
  • Isolated secured area of the processor a processing entity characterized by specific hardware and/or software components subject to a certification ensuring a specific level of security according to specific security standards.
  • the isolated secured area ensures that sensitive data is stored, processed and protected in a secured and trusted environment of the processor while maintaining high processing speeds and large amounts of accessible memory.
  • the isolated secured area may offer isolated execution, secure storage, remote attestation, secure provisioning, trusted boot and trusted path.
  • the isolated secured area allows the processor to operate in two logical modes: normal world or secure world.
  • the normal world is run by the non-secure area of the processor and may comprise the non-secure Rich Operating System (Rich OS) and the software components and applications that run on top of the Rich OS.
  • the normal world is excluded from accessing resources that are provisioned for exclusive use in the secure world.
  • the secure world is run by the isolated secured area, which is the only entity to have access to resources provisioned for use exclusively in the secured area, such as certain delineated ranges of ROM or RAM memory, processor or co-processor configuration registers, and certain peripherals such as display controllers or touch screen controllers, and their associated configuration registers.
  • Some of the resources provisioned for the exclusive use of the isolated secure area may be on the same die or package as the SoC, while others may be contained in a different die or package.
  • Some of the resources may be dynamically provisioned for the exclusive use of the isolated secure area at certain times, while at other times they may be available for use by the normal world.
  • the isolated secured area only runs authorized and trusted applications and provides security against logical attacks generated in the Rich OS environment, attacks aiming to compromise boot firmware, attacks that exploit debug and test interfaces, and other non-invasive attacks.
  • Non-limiting examples of an isolated secured area of the processor include Trusted Execution Environment (TEE), Intel Trusted Execution Technology (TXT), the Trusted Platform Module (TPM), the Hengzhi chip and the IBM Embedded Security Subsystem (ESS) chip.
  • TEE Trusted Execution Environment
  • TXT Intel Trusted Execution Technology
  • TPM Trusted Platform Module
  • ESS IBM Embedded Security Subsystem
  • the isolated secured area of the processor is designed so as to not be accessed, even by a human administrator.
  • the isolated secured area may be implemented partially or completely via a dedicated hardware element such as, but without being limited thereto, a secure element as defined in the paragraph below. Other variations of the isolated secured area may also be envisioned by the person skilled in the art of the present technology without
  • Secure element a processing entity characterized by specific hardware and/or software components subject to a certification ensuring a specific level of security according to specific security standards.
  • a secure element includes the usual components found in a computing entity: at least one microprocessor (e.g. CPU), memory (e.g. ROM, RAM or FLASH memory), communication interfaces, etc.
  • Specific hardware components may also be included to implement specific functionalities particular to a secure element.
  • a cryptographic accelerator may be included.
  • various tamper resistance, tamper detection and/or tamper response features may be included to prevent a malicious person from extracting sensitive information from the secure element.
  • Anti-tamper measures may comprise hardware aspects, software aspects, or a combination of hardware and software.
  • certain counter-measures to prevent side-channel attacks aiming to recover cryptographic keys or other sensitive information may be included in the secure element.
  • Counter-measures against side-channel attacks may include hardware aspects, software aspects, or both.
  • measures to reduce EM emissions, such as shielding may be included, to protect the secure element from eavesdropping.
  • the certification of the secure element ensures that various financial entities are willing to use the secure element to store and process critical financial data, and to perform secured financial transactions using the critical financial data.
  • the secure element may be solely characterized by software components.
  • the secure element may be, in some embodiments, implemented partially or completely as an isolated secured area of the processor, such as the isolated secured as described in the paragraph above, in which case, the secure element may be implemented, for example, but without being limitative, as a TEE, a TPM and/or a ESS. Other variations of the secure element may also be envisioned by the person skilled in the art of the present technology without departing from the scope of the present technology.
  • Touch screen a touch-sensitive sensor device with an input and/or output interface usually superimposed on top of an electronic visual display of an information processing system. Touch screens usually work by detecting tactile and/or haptic contact with the touch screen display. Touch screen technologies may include, but are not limited to resistive, surface acoustic wave, capacitive, projective capacitive, infrared grid, infrared acrylic projection, optical imaging, dispersive signal technology and acoustic pulse recognition touchscreens. Touch screens may include force sensitive components to detect pressure applied to the screen. Touch screens may also include haptic feedback components. Other variations of the touch screen may also be envisioned by the person skilled in the art of the present technology without departing from the scope of the present technology.
  • Touch screen controller a controller that detects analog touch signals output by the touch screen, may perform analog-to-digital conversion of the analog output, may perform signal processing steps to condition the signal and deduce the screen coordinates associated with one or more touch events.
  • the coordinates of touch events will be output to a processor using a low-bandwidth serial interfaces including serial peripheral interface (SPI) and inter-integrated circuit (I C) interfaces, as it is known in the art.
  • SPI serial peripheral interface
  • I C inter-integrated circuit
  • the touch screen controller may be integrated with the display controller or any other block. Other variations of the touch screen controller may also be envisioned by the person skilled in the art of the present technology without departing from the scope of the present technology.
  • Display screen an electronic visual display device with an input and/or output interface used to convey visual information the user.
  • Display screen technologies may include, but are not limited to, Liquid Crystal Displays (LCD), displays based on Organic Light-Emitting Diode (OLED) technology, displays based on active-matrix organic light- emitting diode (AMOLED) technology.
  • LCD Liquid Crystal Displays
  • OLED Organic Light-Emitting Diode
  • AMOLED active-matrix organic light- emitting diode
  • Display screen controller A device capable of inputting digital image data, either from a frame buffer in memory or from a standard digital interface such as MIPI or eDP, and outputting analog or digital video signals suitable for interfacing with the specific display screen technology and at an appropriate frame rate (for example, using LVDS).
  • the display controller may be included in the same die or package as the processor SoC, or be a discrete component, or be integrated with the display screen, or a combination.
  • the display controller may include functions for image upscaling, downscaling, rotation and blending.
  • TUI Trusted User Interface
  • the TUI in a device may be subjected to a certification ensuring a specific level of security according to specific security standards.
  • a TUI automatically detects and only allows authorized or trusted applications to access the content of a secure screen memory.
  • the TUI is one specific mode in which the device is controlled by the isolated secured area of the processor to ensure that the information displayed on the touch screen is from a trusted source and isolated from the operating system.
  • Other variations of the TUI may also be envisioned by the person skilled in the art of the present technology without departing from the scope of the present technology.
  • Security standards may comprise multiple security levels, such as, but without being limitative, Level 1, Level 2, or Level 3.
  • Level 1 may correspond to a higher level of security than Level 2 which, in turn, may correspond to a higher level of security than Level 3.
  • the EMCo standard may provide examples of security levels and approval and certification standards such as terminal type approval process, security evaluation process, card type approval process, or mobile type approval process.
  • the terminal type approval process may be a mechanism to test compliance with Europay, MasterCard, and Visa (EMV) specifications. The terminal type approval may provide a level of confidence that interoperability and consistent behavior between compliant applications may be achieved.
  • the terminal type approval testing may be divided into two levels, Level 1 and Level 2.
  • the Level 1 type approval process may test compliance with the electromechanical characteristics, logical interface, and transmission protocol requirements defined in the EMV specifications.
  • the Level 2 type approval may test compliance with the debit/credit application requirements as defined in the EMV specifications.
  • the terminal type approval testing may include a Level 3 approval, which guarantees secure communications between an application executed on the terminal and a financial institution.
  • FIG. 1 is a block diagram illustrating various exemplary components and features of an illustrative device 100 in accordance with one embodiment of the present technology.
  • a method and a system for conducting a secured financial transaction on a device comprises a processor, the processor comprises an isolated secured area, a display screen operatively connected to a display screen controller, the display screen controller operatively connected to the processor, a touch screen operatively connected to a touch screen controller, the touch screen controller operatively connected to the processor and a secure element associated with the processor.
  • the device may be implemented as any device comprising the components needed to carry a method and a system detailed hereinafter.
  • the device may include a smartphone, a phablet, a smartwatch and/or a wearable computer, a PDA, a tablet and a computer.
  • the device may also be embedded in or on objects not solely dedicated to computing and/or information processing functions, such as, but no limited to, a vehicle, a piece of furniture, an appliance, etc.
  • the device 100 comprises a mobile package on package (PoP) chipset 110, a projective capacitive touch panel superimposed on a LCD display 130, a display controller and a touch screen controller 140, a secure element and a contactless front-end 150 and a flash memory 120.
  • PoP mobile package on package
  • the mobile PoP chipset 110 comprises a Low Power Double Data Rate (LP DDR) memory 112 stacked with a SoC application processor 114.
  • the SoC application processor 114 comprises an isolated secured area (ISA) 115, a central processing unit (CPU) 116, a trusted user interface (TUI) 117, a secure read-only memory (ROM) 118 and a secure random access memory (RAM) 119.
  • the LP DDR 112 comprises a secure RAM memory 113.
  • the mobile PoP chipset 110 is connected to a flash memory 120 comprising secure objects 122.
  • the device may execute a non-secure operating system (OS).
  • OS non-secure operating system
  • Examples of an OS running on the SoC application processor 114 include, but are not limited to, a version of iOS®, or a derivative thereof, available from Apple Inc.; a version of Android OS®, or a derivative thereof, available from Google Inc.; a version of PlayBook OS®, or a derivative thereof, available from RIM Inc. It is understood that other proprietary OSs or custom made OSs may be equally used without departing from the scope of the present technology.
  • the isolated secure area may execute a secure OS, which is separate, distinct and isolated from the OS being executed by the non-secure area of the processor.
  • the secure OS typically has higher privilege levels than the non-secure OS, which allow it, for example, to exclude the non-secure OS from accessing sensitive resources.
  • the secure OS may be entirely different from the non-secure OS (e.g. a secure microkernel), or may be substantially the same as the nonsecure OS (e.g. a modified version of Android OS®).
  • the touch screen controller 144 is connected to the trusted user interface 116 by way of a serial peripheral interface (SPI) or inter-integrated circuit (i C) interface, serial interfaces known in the art for attaching integrated circuits (ICs) to processors and microcontrollers.
  • the touch screen controller 144 is connected to the trusted user interface 116 and to the display controller 142 with a MIPI display serial interface (MIPI- DSI) or an embedded display port (eDP) connection, communication protocols and serial buses between host and device, as it would be recognized by someone skilled in the art.
  • MIPI- DSI MIPI display serial interface
  • eDP embedded display port
  • the projective capacitive touch panel 134 is superimposed on the LCD display 132.
  • the secure element 152 is connected to the SoC application processor 114 by way of a SPI bus interface.
  • the contactless front end 140 is connected to the SoC application processor 114 with an i C interface.
  • the touch screen controller 144 may be securely connected to the TUI 117, such that every transmission of data between touch screen controller 144 and TUI 117 is encrypted.
  • the secure element 152 is securely connected to the contactless front-end 154 and to the SoC application processor 114, such that every transmission of data between secure element 152, contactless front-end 152 and SoC application processor is encrypted.
  • Such examples of devices and connections are only presented for an illustrative purpose, and other variations may be possible, as would be recognized by a person skilled in the art of the present technology. [70] Turning now to FIG.
  • a non-limiting example of a correspondence table 200 is illustrated.
  • the correspondence table 200 may be an array.
  • Each column of the correspondence table 200 may represent a position 202 on a keypad.
  • a value 204 Associated with each position 202 is a value 204.
  • PRNG pseudorandom number generator
  • PRNG may generate each value 204, such that each value has only one occurrence in the correspondence table 200, and each value is equally likely to appear in a given position.
  • the correspondence table 200 may then be used to generate a scrambled keypad, such as scrambled keypad of FIG 2c.
  • Other embodiments of the correspondence table may be possible, where values are replaced by letters or symbols, as it would be recognized by someone skilled in the art.
  • the correspondence table once generated, may be sent to the secure element for subsequent reconstitution of a PIC.
  • FIG. 2b a non-limiting example of a graphical representation of a hot spots layout 240 is illustrated.
  • the hot spots layout 240 corresponds to the geometry and the position of each key that may be pressed by a user on a touch screen.
  • the hot spots layout may define that the key 245, representing position 1 on the keypad, corresponds to every touch event whose coordinate lies within the rectangle defined by the coordinates 242 and 244.
  • the hot spots layout 240 may be sent to a touch screen controller, and the touch screen controller may process a touch event according to the hot spots layout to output a keying event.
  • FIG. 2c a non-limiting example of a visual representation of a scrambled keypad 280 is illustrated.
  • the visual representation of a scrambled keypad 280 with values 285 may be generated by combining the information in a correspondence table 220 and a hot spots layout 240.
  • the scrambled keypad 280 may be generated by other types of correspondence tables and hot spots layouts. It is understood that the scrambled keypad 280 is only presented as an illustrative purpose, and other forms and arrangements of a scrambled keypad may be possible, as it would be recognized by someone skilled in the art.
  • the scrambled keypad 280 may be part of a PIC entry screen such as PIC entry screen of FIG. 3, and transmitted to be displayed on a display screen by a display controller.
  • a scrambled keypad provides a certain level of security for PIC entry, as it makes the process of direct observation of the PIC by a malevolent person or software more bothersome. Even if a malevolent person or software has access to the touch event output or keying events, it is impossible to reconstitute the PIC without knowing the correspondence table of the scrambled keypad. A re-scrambling of the keypad after each touch event may add an additional level of security.
  • PIC personal identification code
  • the PIN entry screen may be part of an application or software run by the CPU and/or the isolated secured area of the processor of the device. In other embodiments, the PIN entry screen may be part of but is not limited to a standalone application, an extension of another application, or may be called by a procedure call from another application when a secure PIN entry is needed.
  • the PIN entry screen 300 may be displayed on a part of the screen or the whole screen, and may run parallel to another application appearing on a different part of the screen. In this embodiment, a logo 310 is displayed on the top of the PIN entry screen 300. A text prompting the user to enter her/his PIN 320 is displayed under the logo 310.
  • Data entry field 330 with asterisks corresponding to keys pressed by the user on the touch screen is displayed under prompting text 320.
  • a scrambled keypad 340 is displayed under data entry field 330, with correct, confirm and validate buttons 350.
  • a security indicator 360 associated with the user is displayed on the bottom of the screen.
  • the security indicator 360 comprises a secret shared between the user and a trusted entity, such as but not limited to a financial institution holding his account.
  • the shared secret may be an image, a catchphrase or any other secret information recognized by the user, and is displayed so that the user may be confident that he is entering his PIC on a trusted application securely connected to a trusted server of his/her financial institution.
  • the security indicator 360 may be a video stream where each single frame contains a part of the security indicator, such as a malevolent person or software may not be able to reproduce the security indicator from a single photograph or screenshot.
  • the scrambled keypad may be composed of different symbols and/or numbers and/or letters.
  • the security indicator may be visual and/or auditory and/or olfactory and/or tactile, provided that the device has the required technology to support such embodiments. This example is only for illustrative purposes, and many versions of a PIC entry screen may be defined, as would be appreciated by a person skilled in the art of the present technology. [75] FIG.
  • FIG. 4 is a flowchart representation of a communication flow between an isolated secured area of the SoC application processor 404, a display controller 406, a touch screen controller 408 and a secure element 402 in accordance with an embodiment of the method and systems of the present technology.
  • display controller 406 and touch screen controller 408 may be merged in a single component.
  • the role of the secure element may be played by a secure server in the cloud.
  • the isolated secured area of the SoC application processor 404 generates a correspondence table, an image of a scrambled keypad and coordinates to delimit each key in the scrambled keypad, also known as a hot spots layout in the art.
  • the SoC application processor 404 transmits the scrambled keypad image to the display controller 406.
  • the SoC application processor 404 transmits the hot spots layout to the touch screen controller 408.
  • the SoC application processor 404 encrypts and transmits the correspondence table to the secure element 402.
  • a TUI controlled by the isolated secured area of the SoC application processor 404 may generate a correspondence table, a hot spots layout, a scrambled keypad image and transmit the scrambled keypad image to the display controller 406, the hot spots layout to the touch screen controller 408 and the correspondence table to the secure element 402.
  • the secure element 402 may generate a correspondence table, a hot spots layout, a scrambled keypad image and transmits the scrambled keypad image to the display controller 406 and the hot spots layout to the touch screen controller 408.
  • the touch screen controller 408, having received the hot spots layout and thereby having knowledge of the location and dimensions of the keys defined by the isolated secured area of the processor 404, but not their value, may process the touch event inputs by a user with the hot spots layout to create one or more keying events and encrypt the resulting keying events.
  • the touch screen controller 408 may send the encrypted keying events to the secure element 402.
  • the touch screen controller 408 is directly connected to the secure element 402.
  • the touch screen controller 408 may send encrypted keying events to the isolated secured area of the SoC application processor 404, and the isolated secured area 404 may then send the encrypted keying events to the secure element 408.
  • the secure element 402 may decrypt the encrypted keying events and the encrypted correspondence table to reconstitute a PIC.
  • the secure element 402 is the only component able to decrypt the encrypted correspondence table and the encrypted keying events.
  • the secure element 402 is the only component being able to reconstitute a PIC from unencrypted versions of the correspondence table and the keying events.
  • the secure element 402 is the only component having access to an unencrypted version of the PIC. After reconstituting the PIC, the secure element 402 may encrypt the reconstituted PIC, and transmit the encrypted PIC to the isolated secured area 404.
  • the PIC may be combined with other information, prior to encrypting the PIC together with the other information.
  • the PIN may be combined with a Personal Account Number (PAN) to form a PIN block, as specified by the ISO 9564 standard.
  • PAN Personal Account Number
  • the isolated secure area may transmit the encrypted PIC, through the Internet or other networks, to the financial institution holding the user's account, possibly through the communications interfaces of the non-secure area of the processor, so that the transaction may be authorized.
  • FIG. 5 shows a flowchart illustrating a first computer- implemented method 500 for conducting a secured PIC entry on a device.
  • the secured PIC entry refers to a secured financial transaction using a mobile device.
  • the first computer-implemented method 500 may be (completely or partially) implemented on the mobile device 100.
  • the method 500 starts with a step 502 with the generation of a correspondence table, a hot spots layout and scrambled keypad image, such as but not limited to correspondence table of FIG. 2a, the hot spots layout of FIG. 2b and the scrambled keypad image of FIG. 2c.
  • the correspondence table, the hot spots layout and the scrambled keypad image may be generated in the isolated secured area of the processor 115.
  • the correspondence table, the hot spots layout and the scrambled keypad image may be generated in a secure element 152.
  • the correspondence table, the hot spots layout and the scrambled keypad image may be generated by an external secure module and securely transmitted to an isolated secured area of the processor 115.
  • the correspondence table, the hot spots layout and the scrambled keypad image may be generated by an external device or server, encrypted and sent by a communication network to the device.
  • one or more correspondence tables, hot spots layouts and scrambled keypad images may be generated at the same time.
  • one or more correspondence tables, hot spots layouts and scrambled keypad images may be generated at different times.
  • a correspondence table or array is first created, where the size of the array corresponds to the number of keys in the keypad. Each position in the array, from 0 to 9, has for value a random number, such that each number from 0 to 9 appears only once as a value in the array.
  • a scrambled keypad image may then be generated from the correspondence array, where each key position has the corresponding value.
  • a hot spots layout may also be generated, where the location and geometry of the operable keys are defined. In some embodiments, the geometry and the position of the hot spots layout may also be randomized and/or encoded and may be further encrypted. Different methods for generating the correspondence table, the hot spots layout and the scrambled keypad image may be possible, as it would be recognized by someone skilled in the art of the present technology.
  • the scrambled keypad image may then be integrated in a PIC entry screen, such as the PIC entry screen from FIG. 3.
  • a visual representation of a scrambled keypad may be generated in the form of an image.
  • the scrambled keypad may be generated in the form of a video stream, where each single frame of the video stream contains a part of the keypad, and the rapid succession of frames make the video stream appear as a static image to the human eye. This may add a layer of security by making the process of capturing the scrambled keypad by means of photographing the device or screen capture more bothersome, as no single frame contains enough information to reconstruct the scrambled keypad and thereby gain knowledge of the correspondence table.
  • the correspondence table of the scrambled keypad is transmitted to the secure element 152.
  • the correspondence may be encrypted before being transmitted to the secure element 152
  • the scrambled keypad image is transmitted to a display controller 142.
  • a plurality of different PIC entry screens comprising different scrambled keypads may be transmitted to the display controller 142.
  • a TUI 117 may generate the correspondence table, the hot spots layout, the scrambled keypad image and transmit the scrambled keypad image to the display controller 142.
  • the PIC entry screen may comprise a security indicator.
  • the scrambled keypad image is transmitted from the secure element to the isolated secured area before being transmitted to the display controller 142.
  • the correspondence table, the hot spots layout and the scrambled keypad image may be generated in the secure element 115, with the secure element 115 directly connected to the display controller 142, and then transmitted to the display controller.
  • the hot spots layout is transmitted to the touch screen controller.
  • the hot spots layout is generated in the isolated secured area of the processor and transmitted to the touch screen controller.
  • the hot spots layout is generated in the secure element, encrypted and transmitted to the touch screen controller.
  • the display controller 142 causes to display the scrambled keypad image on the display screen 132.
  • the scrambled keypad image may be displayed on any part of the display screen 132.
  • each key of the scrambled keypad image may be displayed on corresponding physical keys comprising embedded screens.
  • a security indicator may be displayed at the same time as the scrambled keypad.
  • the touch screen controller 144 detects one or more touch event inputs on the touch screen 134 from a user.
  • the touch event inputs may be input by a user with her/his fingers, with a stylus/pen, or with anything that may be sensed by the touch screen 134.
  • the touch screen 134 may use projected capacitive (p-cap) technology to sense an input, wherein capacitive sensors detect anything that is conductive or that has a dielectric constant different from air.
  • the capacitive sensors comprise individual electrodes or electrode intersections that are repeatedly and iteratively scanned by a touch screen controller in order to detect changes in capacitance.
  • a precise x-y touch coordinate with a corresponding state e.g.
  • touch or release may be determined by interpolating values of capacitance from multiple adjacent electrodes or intersections.
  • the touch screen 134 may also comprise pressure sensors to detect different levels of pressure.
  • the keypad displayed on screen may be re-scrambled or changed to a different layout by the isolated secured area of the processor 115 after each touch event input, such that a different scrambled keypad appears after each touch input by the user.
  • a mouse, a trackpad or a touch screen may be connected to the device, and the corresponding events may be processed a touch screen controller or an isolated secured area of the processor.
  • a touch screen controller 144 generates one or more keying events based on the touch events inputs by the user at step 512.
  • the touch screen controller first processes the analog touch event inputs by the user into digital touch event outputs.
  • the generation of touch event ouputs based on touch event inputs by a user on a touch screen is well known in the art of the present technology.
  • a z touch coordinate may also be generated if the touch screen 134 comprises a pressure sensor.
  • the touch screen controller 144 may dismiss every gesture that is not a single touch input, such as but not limited to swiping gestures or multi-touch gestures.
  • multiple touch events outputs may correspond to a single keying event.
  • the touch event output coordinates may be converted into keying events by comparing them with the hot spots layout, wherein a touch event may correspond to a position "2" on the scrambled key pad, because the touch event's output coordinate falls within the limits of the hot spot at position "2".
  • the touch screen controller 144 encrypts the one or more keying events generated at the step 514.
  • the one or more keying events may be encrypted using asymmetric cryptography while in other embodiments symmetric cryptography may be used.
  • block ciphers may be used while in other embodiments stream ciphers may be used.
  • white -box cryptography may be used.
  • the keying events may be encrypted using a public or a private cryptographic key.
  • Some embodiments may employ the RSA algorithm while other embodiments may employ algorithms based on elliptic curves, the discrete logarithm problem, or other mathematical principles.
  • the key is secret and the encryption algorithm may be DES, TDES or AES, or other encryption methods known in the art.
  • the touch screen controller may encrypt the touch events according to encryption security standards of the financial industry.
  • the key used may be changed for each transaction, and unique to each device. More specifically, the key may be changed according to the ANSI X9.24 specifications and the Dynamic Unique Key Per Transaction (DUKPT) method.
  • the touch screen controller 144 transmits the encrypted keying events of the step 516.
  • the touch screen controller 144 transmits the encrypted keying events to the secure element 152.
  • the touch screen controller 144 may be directly connected to the secure element 152.
  • the touch screen controller may transmit the encrypted keying events to the isolated secured area of the processor 115, and the encrypted keying events may then be transmitted to the secure element 152 by the isolated secured area of the processor.
  • step 504 may be executed after step 506 and/or step 508.
  • the steps 504 and 518 may be executed at the same time.
  • the step 504 may be executed after step 518.
  • the secure element 152 decrypts the encrypted keying events.
  • the encrypted keying events may be decrypted using a private cryptographic key.
  • the correspondence table of the scrambled keypad has been previously encrypted, it is decrypted before, after or at the same time as the encrypted touch events.
  • the secure element 152 reconstitutes the PIC associated with the user based on the one or more keying events and the correspondence table of the scrambled keypad.
  • the PIC is reconstituted by executing a function which outputs the PIC by finding the values corresponding to the position of the keying events. By looking into the correspondence table, this function may determine that the keying event corresponding to "2" is associated with a value 5. The function may then determine that a keying event corresponds to a PIC entry of 5.
  • This example is only provided as an illustrative example for reconstituting the PIC, and is one of the possible methods for determining corresponding keying events, as it may be recognized by a person skilled in the art of the present technology.
  • the reconstituted PIC is encrypted by the secure element.
  • the encrypted PIC is transmitted to the isolated secured area of the processor after being encrypted by the secure element.
  • the encrypted PIC may then be sent via a communication network to a remote server to finalize the transaction.
  • the correspondence table has been previously encrypted
  • the encrypted correspondence table of the scrambled keypad and the encrypted keying events may be sent to a remote server before being decrypted and reconstituted to a PIC by the remote server.
  • the user may be prompted to supply an additional method of authentication, including but not limited to biometric data, a second PIC, or any other computer-readable information associated with the user.
  • the present method and systems may be used in different non-limiting contexts.
  • An exemplary use is during a financial transaction between a client and a merchant, where a mobile device such as a phone or tablet implements the method and system and may be used as a payment terminal by the merchant.
  • the client may tap his card on the device to make a payment, with the card comprising a RFID or NFC chip, the device also comprising a RFID or NFC interface to communicate with the card.
  • the device may present a PIC entry screen with a security indicator associated with the user, and prompt the user to enter his PIC to confirm the transaction.
  • the client may receive a confirmation of the transaction from the merchant and/or the financial institution holding a relevant account associated with the client.
  • a first person possessing a payment card could transfer funds to a second person possessing a mobile device.
  • the first person could tap his or her card on the second person's mobile device, with the card comprising a RFID or NFC chip, the device also comprising a RFID or NFC interface to communicate with the card.
  • the second person may present the device with a PIC entry screen comprising a security indicator associated with the first person, and prompt the first person to enter his PIC to confirm the transaction.
  • the payment could also be made the opposite way, where the fund is transferred from the second person's device to the first person's card, in which case the second person enters his own PIC on his own device.
  • Another exemplary use is during a transaction between two persons, the two persons having NFC or RFID enabled devices.
  • the two persons could exchange funds by approaching their devices together.
  • the two persons could initiate and perform the transaction at a distance through a communications network.
  • to confirm the transaction at least one person may be prompted with a PIC confirmation screen to complete the transaction.
  • the features and examples above are not meant to limit the scope of the present disclosure to a single embodiment, as other embodiments are possible by way of interchange of some or all of the described or illustrated elements.

Abstract

A system and a method for operating a device. The method comprises generating a correspondence table, a hot spots layout and a visual representation of a scrambled keypad; transmitting the correspondence table, the visual representation of the scrambled keypad; and the hot spots layout. The method further comprises causing to display, by a display controller, the visual representation of the scrambled keypad on a display screen; detecting, by a touch screen controller, a touch event input from a user through a touch screen; generating, by the touch screen controller, a keying event based on the touch event input and the hot spots layout; encrypting the keying event; and transmitting, to a secure element, the encrypted keying event. The method also comprises decrypting the encrypted keying event; and reconstituting a personal identification code (PIC) associated with the user based on the keying event and the correspondence table.

Description

SYSTEM FOR AND METHOD OF AUTHENTICATING A USER ON A DEVICE
CROSS-REFERENCE
[01] The present application claims convention priority to U.S. Provisional Patent Application No. 62/271,428, filed December 28, 2015, entitled "SYSTEM FOR AND METHOD OF AUTHENTICATING A USER ON A DEVICE" which is incorporated by reference herein in its entirety.
FIELD
[02] The present technology relates to systems and methods for authenticating a user on mobile devices. The system and method may be used in the context of conducting transactions on a mobile device, more particularly secured financial transactions.
BACKGROUND
[03] This section is intended to introduce the reader to various aspects of art that may be related to various aspects of the present disclosure, which are described and/or claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present technology. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.
[04] Payment terminals, also known as point of sale (POS) terminals, are well established in the art. They are used for electronic funds transfers between retailers and customers where transactions are conducted by swiping, inserting or tapping payment cards with a POS terminal. Some POS terminals support only magnetic stripe technology (swiping), while other terminals additionally or exclusively support so-called chip cards or smart cards, which comprise a microprocessor chip embedded in the card. This chip provides a high level of security against both logical and physical attacks aiming to clone the card or compromise sensitive information stored within it.
[05] In order to ensure security during the financial transactions involving chip cards, security standards such as the Europay, MasterCard, and Visa (EMV) transaction standard have been developed and used to certify both the payment terminals and the payment cards. However, due to various factors, including the technical complexity required to meet the security standards, payment terminals that are used to conduct secured financial transactions are usually devices that are cumbersome, costly and solely dedicated to the conduct of financial transactions.
[06] Mobile payment systems and digital wallets such as Apple Pay®, Android Pay® and Samsung Pay® allow customers to store their credit card information on their mobile devices and use their devices to make payments via near field communication (NFC) or radio-frequency identification (RFID) on adapted contactless point of sale terminals. [07] However, mobile devices may not have the required security standards to be used as payment terminals, are not accepted everywhere and thus do not completely eliminate the need for dedicated payment terminals.
[08] As a response to at least some of the shortcomings of the technologies detailed above, approaches have been developed to allow a general-purpose mobile device, such as, but not limited to, a smart phone, to be turned into a payment terminal. Such approaches include the method, device, add-on and secure element of U.S. Patent Publication 2014/0324698 wherein a method and a device for conducting a secured financial transaction are provided, the device comprising a CPU and a secure element, wherein a purchase amount to be debited from a financial account is acquired, data relating to the financial account is acquired, and a transaction authorization from a financial institution related to the financial transaction is acquired, with the authorization based, at least partially, on data processed solely by the secure element independent from data processed by the CPU.
[09] In addition, methods and systems have been developed to address the need for securely authenticating a user, through his/her Personal Identification Number (PIN), when conducting a financial transaction using a payment card at a dedicated point of sale terminal. Such methods and systems, whereby the payment terminal acts as a PIN Entry Device (PED), aim to meet the required level of security specified in international standards such as ISO 9564, Payment Card Industry (PCI) - PIN Transaction Security (PTS), and other applicable PCI standards, which have been developed for PIN security and management in retail banking, the standards comprising requirements for PIN length, selection, issuance, delivery, encryption algorithms, storage, transmission, secure entry and requirements for offline PIN handling in ATM and POS systems. [10] Various approaches have been recently developed in order to ensure a certain level of security during the input of a PIN. Such approaches generally focus on bulky payment terminals, where a scrambled PIN pad image is received by the device, is superimposed on top of an underlying keypad, such that a user enters an encoded version of his PIN, and the encoded version is then preferably sent to a remote server and decoded to process the PIN. However, such methods may not fully comply with financial security standards, may not allow offline processing and/or may not be enabled on a mobile device to be used as payment terminal.
[11] There is therefore a need in the art for a method and system for obtaining a personal identification code (PIC) on a mobile device while providing a certain level of security, minimizing added cost and/or disruption to the design (e.g., by limiting and/or eliminating the need for hardware components not already present on the device for other reasons). Such level of security may be, but not necessarily, selected so as to be compliant with certain security standards.
SUMMARY [12] Embodiments of the present technology have been developed based on inventors' appreciation that known approaches for secured PIN entry may, in some instances, not be relied upon to conduct secured financial transactions compliant with financial industry standards on mobile devices. Improvements are therefore desirable, in particular improvements aimed at assuring that a PIC is stored either in a secure environment or in encrypted form in a non-secure environment and therefore not accessible to untrusted software running on the main processor.
[13] The present technology arises from an observation made by the inventor(s) that while the usage of mobiles devices has been democratized, the majority of financial transactions are still made using bulky payment terminals, because of the lack of secure methods for conducting PIC entry on a mobile device. However, in light of the latest developments in the art, inventor(s) have devised a method and a system for conducting secured financial transactions on a mobile device while providing a certain level of security.
[14] It is an object of the present technology to provide a method of and system for operating a device, the device comprising a processor, the processor comprising an isolated secured area, a display screen operatively connected to a display screen controller, the display screen controller operatively connected to the processor, a touch screen operatively connected to a touch screen controller, the touch screen controller operatively connected to the processor and a secure element associated with the processor. The method and system comprises generating a correspondence table, a hot spots layout and a visual representation of a scrambled keypad, transmitting, to the secure element, the correspondence table, transmitting, to the display controller, the visual representation of the scrambled keypad, transmitting, to the touch screen controller, the hot spots layout, causing to display, by the display controller, the visual representation of the scrambled keypad on the display screen, detecting, by the touch screen controller, a touch event input from a user on the touchpad, generating, by the touch screen controller, a keying event based on the touch event input and the hot spots layout, encrypting, by the touch screen controller, the keying event, transmitting, to the secure element, the encrypted keying event, decrypting, by the secure element, the encrypted keying event and reconstituting, by the secure element, a personal identification code (PIC) associated with the user based on the keying event and the correspondence table.
[15] In general, another aspect of the subject matter described in the specification can be embodied in a method and system that further comprises, prior to transmitting, to the secure element, the correspondence table, encrypting the correspondence table.
[16] In general, another aspect of the subject matter described in the specification can be embodied in a method and system that further comprises, after encrypting the correspondence table, decrypting, by the secure element, the correspondence table. [17] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein an unencrypted version of the PIC remains inaccessible to any one of the processor, the display controller, the touch screen controller and the isolated secured area of the processor, at any given time. [18] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein an unencrypted version of the PIC is solely accessible by the secure element.
[19] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein the isolated secured area only accesses an encrypted version of the PIC.
[20] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein the touch screen controller does not have access to the correspondence table nor to the visual representation of the scrambled keypad, at any given time. [21] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein the secure element is securely connected to the processor.
[22] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein the isolated secured area of the processor comprises a trusted user interface.
[23] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein the touch screen controller is securely connected to the trusted user interface.
[24] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein the method further comprises re- scrambling at least a portion of the visual representation of the scrambled keypad by generating a correspondence table after a keying event occurs. [25] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein multiple correspondence tables, hot spots layouts and visual representations of scrambled keypads are generated before a touch event occurs. [26] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein the visual representation of the scrambled keypad is at least one of an image, a video stream and a visual representation of a keypad.
[27] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein the method further comprises causing to display, by the display controller, a security indicator previously associated with the user.
[28] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein the security indicator previously associated with the user is stored in the isolated secure area of the processor.
[29] In general, another aspect of the subject matter described in the specification can be embodied in a method and system that further comprises, encrypting the reconstituted PIC by the secure element; and transmitting the encrypted reconstituted PIC to the processor.
[30] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein the secure element is at least one of a hardware element operatively connected to the processor, a software component run by the processor, the isolated secured area and a portion of the isolated secured area.
[31] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein generating the correspondence table, the hot spots layout and the visual representation of the scrambled keypad is executed by one of the isolated secured area of the processor and the secure element. [32] In general, another aspect of the subject matter described in the specification can be embodied in a method and system wherein reconstituting the PIC associated with the user comprises mapping the keying events on the correspondence table.
[33] In general, another aspect of the subject matter described in the specification can be embodied as a method and system on a mobile device for conducting secured financial transactions between at least two mobile devices ("peer-to-peer banking").
[34] In other aspects, various implementations of the present technology provide a non-transitory computer-readable medium storing program instructions for conducting secured PIC entry on a device, the program instructions being executable by a processor of a computer-based system to carry out one or more of the above -recited methods.
[35] In other aspects, various implementations of the present technology provide a computer-based system, such as, for example, but without being limitative, a device comprising at least one processor and a memory storing program instructions for conducting secured PIC entry on a device, the program instructions being executable by one or more processors of the computer-based system to carry out one or more of the above -recited methods.
[36] The details of one or more embodiments of the subject matter of this specification are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the subject matter will become apparent from the description, the drawings, and the claims.
BRIEF DESCRIPTION OF THE DRAWINGS
[37] These and other features, aspects and advantages of the present technology will become better understood with regard to the following description, appended claims and accompanying drawings where: [38] FIG. 1 is an illustration of the components and features of the device in accordance with an embodiment of the present technology; [39] FIG 2a is an illustration of a possible correspondence table in accordance with an embodiment of the present technology;
[40] FIG 2b is an illustration of a possible hot spots layout in accordance with an embodiment of the present technology;
[41] FIG 2c is an illustration of a possible arrangement of a scrambled keypad in accordance with an embodiment of the present technology;
[42] FIG. 3 is an illustration of a possible personal identification code (PIC) authentication screen in accordance with an embodiment of the present technology;
[43] FIG. 4 is a flowchart representation of a communication flow between a processor, a display controller, a touch screen controller and a secure element in accordance with an embodiment of the present technology; and
[44] FIG. 5 is an illustration of a method carried out in accordance with non-limiting embodiments of the present technology.
DETAILED DESCRIPTION OF THE DRAWINGS
[45] Various exemplary embodiments of the described technology will be described more fully hereinafter with reference to the accompanying drawings, in which exemplary embodiments are shown. The present inventive concept may, however, be embodied in many different forms and should not be construed as limited to the exemplary embodiments set forth herein. Rather, these exemplary embodiments are provided so that the disclosure will be thorough and complete, and will fully convey the scope of the present inventive concept to those skilled in the art. In the drawings, the sizes and relative sizes of layers and regions may be exaggerated for clarity. Like numerals refer to like elements throughout.
[46] It will be understood that, although the terms first, second, third etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are used to distinguish one element from another. Thus, a first element discussed below could be termed a second element without departing from the teachings of the present inventive concept. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items. [47] It will be understood that when an element is referred to as being "connected" or "coupled" to another element, it can be directly connected or coupled to the other element or intervening elements may be present. In contrast, when an element is referred to as being "directly connected" or "directly coupled" to another element, there are no intervening elements present. Other words used to describe the relationship between elements should be interpreted in a like fashion (e.g., "between" versus "directly between," "adjacent" versus "directly adjacent," etc.).
[48] The terminology used herein is only intended to describe particular exemplary embodiments and is not intended to be limiting of the present inventive concept. As used herein, the singular forms "a," "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. [49] Throughout the present disclosure, reference is made to secure transactions (for example, but without being limitative, contact and contactless transactions), secure elements (for example, but without being limitative, chipset, secured chipset, hardware embedding secured component, software embedding secured component, or firmware embedding secured component) and security standards. Examples of security standards include, without being limitative, certification standards from Europay, MasterCard, and Visa (EMV), EMVCo, MasterCard®, Visa®, American Express®, JCB®, Discover® and from the PCI SSC (Payment Card Industry Security Standards Council), founded by MasterCard®, Visa®, American Express®, Discover® and JCB® and dealing specifically with the definition of security standards for financial transactions. Reference to secure transactions, secure elements, and security standards is made for the purpose of illustration and is intended to be exemplary of the present technology and not limiting of the scope thereof.
[50] Processor: in the context of this technology, the definition of a processor includes a system on chip (SoC), an integrated circuit that integrates components of a computer in a single chip. A typical SoC may include but is not limited to one or more general- purpose microprocessors or Central Processing Units (CPUs), co-processors such as a digital signal processor (DSP), a Graphics Processing Unit (GPU), and multimedia coprocessors such as MPEG and JPEG encoders and decoders. The SoC may also include modems for various wireless communications interfaces including cellular (e.g. LTE/4G, 3G, GSM, CDMA, etc.), Bluetooth, and Wireless Fidelity (Wi-Fi) (IEEE 802.11). The SoC may include memory controllers for interfacing with on-die or external DRAM memory chips, and on-die memory blocks including a selection of ROM, SRAM, DRAM, EEPROM and flash memory. The SoC may additionally include timing sources, peripherals including counter-timers, real-time timers and power-on reset generators, debug, JTAG and Design For Test (DFT) interfaces, external interfaces, analog interfaces, voltage regulators, power management circuits, etc. The SoC may also include connectivity components such as simple buses or on-chip networks following the ARM Advanced Microcontroller Bus Architecture (AMBA) specification connecting these blocks together as known in the art. Some blocksmay be packaged separately and stacked on the top of the SoC, a design known in the art as Package-on-package (PoP). Alternatively some blocks may be comprised in distinct integrated circuits (or dies) but packaged together, a design known in the art as a System in Package (SiP).
[51] Isolated secured area of the processor: a processing entity characterized by specific hardware and/or software components subject to a certification ensuring a specific level of security according to specific security standards. The isolated secured area ensures that sensitive data is stored, processed and protected in a secured and trusted environment of the processor while maintaining high processing speeds and large amounts of accessible memory. The isolated secured area may offer isolated execution, secure storage, remote attestation, secure provisioning, trusted boot and trusted path. The isolated secured area allows the processor to operate in two logical modes: normal world or secure world. The normal world is run by the non-secure area of the processor and may comprise the non-secure Rich Operating System (Rich OS) and the software components and applications that run on top of the Rich OS. The normal world is excluded from accessing resources that are provisioned for exclusive use in the secure world. The secure world is run by the isolated secured area, which is the only entity to have access to resources provisioned for use exclusively in the secured area, such as certain delineated ranges of ROM or RAM memory, processor or co-processor configuration registers, and certain peripherals such as display controllers or touch screen controllers, and their associated configuration registers. Some of the resources provisioned for the exclusive use of the isolated secure area may be on the same die or package as the SoC, while others may be contained in a different die or package. Some of the resources may be dynamically provisioned for the exclusive use of the isolated secure area at certain times, while at other times they may be available for use by the normal world. The isolated secured area only runs authorized and trusted applications and provides security against logical attacks generated in the Rich OS environment, attacks aiming to compromise boot firmware, attacks that exploit debug and test interfaces, and other non-invasive attacks. Non-limiting examples of an isolated secured area of the processor include Trusted Execution Environment (TEE), Intel Trusted Execution Technology (TXT), the Trusted Platform Module (TPM), the Hengzhi chip and the IBM Embedded Security Subsystem (ESS) chip. In some embodiments, the isolated secured area of the processor is designed so as to not be accessed, even by a human administrator. In some embodiments, the isolated secured area may be implemented partially or completely via a dedicated hardware element such as, but without being limited thereto, a secure element as defined in the paragraph below. Other variations of the isolated secured area may also be envisioned by the person skilled in the art of the present technology without departing from the scope of the present technology.
[52] Secure element: a processing entity characterized by specific hardware and/or software components subject to a certification ensuring a specific level of security according to specific security standards. From a hardware perspective, a secure element includes the usual components found in a computing entity: at least one microprocessor (e.g. CPU), memory (e.g. ROM, RAM or FLASH memory), communication interfaces, etc. Specific hardware components may also be included to implement specific functionalities particular to a secure element. For instance, a cryptographic accelerator may be included. Also, various tamper resistance, tamper detection and/or tamper response features may be included to prevent a malicious person from extracting sensitive information from the secure element. Anti-tamper measures may comprise hardware aspects, software aspects, or a combination of hardware and software. Also, certain counter-measures to prevent side-channel attacks aiming to recover cryptographic keys or other sensitive information may be included in the secure element. Counter-measures against side-channel attacks may include hardware aspects, software aspects, or both. Also, measures to reduce EM emissions, such as shielding, may be included, to protect the secure element from eavesdropping. In the context of financial transactions, the certification of the secure element ensures that various financial entities are willing to use the secure element to store and process critical financial data, and to perform secured financial transactions using the critical financial data. In some embodiments, the secure element may be solely characterized by software components. The secure element may be, in some embodiments, implemented partially or completely as an isolated secured area of the processor, such as the isolated secured as described in the paragraph above, in which case, the secure element may be implemented, for example, but without being limitative, as a TEE, a TPM and/or a ESS. Other variations of the secure element may also be envisioned by the person skilled in the art of the present technology without departing from the scope of the present technology.
[53] Touch screen: a touch-sensitive sensor device with an input and/or output interface usually superimposed on top of an electronic visual display of an information processing system. Touch screens usually work by detecting tactile and/or haptic contact with the touch screen display. Touch screen technologies may include, but are not limited to resistive, surface acoustic wave, capacitive, projective capacitive, infrared grid, infrared acrylic projection, optical imaging, dispersive signal technology and acoustic pulse recognition touchscreens. Touch screens may include force sensitive components to detect pressure applied to the screen. Touch screens may also include haptic feedback components. Other variations of the touch screen may also be envisioned by the person skilled in the art of the present technology without departing from the scope of the present technology.
[54] Touch screen controller: a controller that detects analog touch signals output by the touch screen, may perform analog-to-digital conversion of the analog output, may perform signal processing steps to condition the signal and deduce the screen coordinates associated with one or more touch events. Typically, but non-limitatively, the coordinates of touch events will be output to a processor using a low-bandwidth serial interfaces including serial peripheral interface (SPI) and inter-integrated circuit (I C) interfaces, as it is known in the art. The touch screen controller may be integrated with the display controller or any other block. Other variations of the touch screen controller may also be envisioned by the person skilled in the art of the present technology without departing from the scope of the present technology.
[55] Display screen: an electronic visual display device with an input and/or output interface used to convey visual information the user. Display screen technologies may include, but are not limited to, Liquid Crystal Displays (LCD), displays based on Organic Light-Emitting Diode (OLED) technology, displays based on active-matrix organic light- emitting diode (AMOLED) technology.
[56] Display screen controller: A device capable of inputting digital image data, either from a frame buffer in memory or from a standard digital interface such as MIPI or eDP, and outputting analog or digital video signals suitable for interfacing with the specific display screen technology and at an appropriate frame rate (for example, using LVDS). The display controller may be included in the same die or package as the processor SoC, or be a discrete component, or be integrated with the display screen, or a combination. The display controller may include functions for image upscaling, downscaling, rotation and blending.
[57] Trusted User Interface (TUI): A combination of software, hardware and peripheral resources which may be reserved for the exclusive use of the isolated secure area and may be configured in such a way as to give exclusive and non-interruptible control of the display screen (or a portion thereof) and the touch sensor to the isolated secure area and to maintain the integrity and confidentiality of the displayed images and of the touch events generated by the touch sensor and controller. The TUI in a device may be subjected to a certification ensuring a specific level of security according to specific security standards. A TUI automatically detects and only allows authorized or trusted applications to access the content of a secure screen memory. In one embodiment, the TUI is one specific mode in which the device is controlled by the isolated secured area of the processor to ensure that the information displayed on the touch screen is from a trusted source and isolated from the operating system. Other variations of the TUI may also be envisioned by the person skilled in the art of the present technology without departing from the scope of the present technology.
[58] Information / data: the terms "information" and "data" are used interchangeably, and have a similar meaning for the purpose of the present disclosure.
[59] Security standards may comprise multiple security levels, such as, but without being limitative, Level 1, Level 2, or Level 3. As an example, but without being limitative, Level 1 may correspond to a higher level of security than Level 2 which, in turn, may correspond to a higher level of security than Level 3. For example, but without being limitative, the EMCo standard may provide examples of security levels and approval and certification standards such as terminal type approval process, security evaluation process, card type approval process, or mobile type approval process. [60] For example, the terminal type approval process may be a mechanism to test compliance with Europay, MasterCard, and Visa (EMV) specifications. The terminal type approval may provide a level of confidence that interoperability and consistent behavior between compliant applications may be achieved. In an example, the terminal type approval testing may be divided into two levels, Level 1 and Level 2. The Level 1 type approval process may test compliance with the electromechanical characteristics, logical interface, and transmission protocol requirements defined in the EMV specifications. The Level 2 type approval may test compliance with the debit/credit application requirements as defined in the EMV specifications. Additionally, the terminal type approval testing may include a Level 3 approval, which guarantees secure communications between an application executed on the terminal and a financial institution.
[61] Even though the various components defined above are each associated with a definition, it should be understood that each one of the various components should not be construed as being solely limited to the specific functions and/or specifics provided in the associated definition. To the contrary, other functions and/or specifics may be added, removed or combined without departing from the scope of the present technology. In addition, functions and/or specifics may be switched from one component to another component without departing from the scope of the present technology (e.g., a function associated with the touch screen may be switched to the touch screen controller). Some of the various components may also be partially or completely merged together without departing from the scope of the present technology (e.g., the touch screen and the touch screen controller may be merged together to define a single component, or the display controller and the processor may be merged together to define a single component). [62] FIG. 1 is a block diagram illustrating various exemplary components and features of an illustrative device 100 in accordance with one embodiment of the present technology.
[63] In accordance with at least one embodiment described herein, a method and a system for conducting a secured financial transaction on a device are provided. The device comprises a processor, the processor comprises an isolated secured area, a display screen operatively connected to a display screen controller, the display screen controller operatively connected to the processor, a touch screen operatively connected to a touch screen controller, the touch screen controller operatively connected to the processor and a secure element associated with the processor. [64] In some embodiments, the device may be implemented as any device comprising the components needed to carry a method and a system detailed hereinafter. In some embodiments, the device may include a smartphone, a phablet, a smartwatch and/or a wearable computer, a PDA, a tablet and a computer. In some alternative embodiments, the device may also be embedded in or on objects not solely dedicated to computing and/or information processing functions, such as, but no limited to, a vehicle, a piece of furniture, an appliance, etc.
[65] In the illustrated embodiment, the device 100 comprises a mobile package on package (PoP) chipset 110, a projective capacitive touch panel superimposed on a LCD display 130, a display controller and a touch screen controller 140, a secure element and a contactless front-end 150 and a flash memory 120.
[66] In a non-limiting embodiment, the mobile PoP chipset 110 comprises a Low Power Double Data Rate (LP DDR) memory 112 stacked with a SoC application processor 114. The SoC application processor 114 comprises an isolated secured area (ISA) 115, a central processing unit (CPU) 116, a trusted user interface (TUI) 117, a secure read-only memory (ROM) 118 and a secure random access memory (RAM) 119. The LP DDR 112 comprises a secure RAM memory 113. The mobile PoP chipset 110 is connected to a flash memory 120 comprising secure objects 122.
[67] In some embodiments of the present technology, the device may execute a non- secure operating system (OS). Examples of an OS running on the SoC application processor 114 include, but are not limited to, a version of iOS®, or a derivative thereof, available from Apple Inc.; a version of Android OS®, or a derivative thereof, available from Google Inc.; a version of PlayBook OS®, or a derivative thereof, available from RIM Inc. It is understood that other proprietary OSs or custom made OSs may be equally used without departing from the scope of the present technology.
[68] In some embodiments of the present technology, the isolated secure area may execute a secure OS, which is separate, distinct and isolated from the OS being executed by the non-secure area of the processor. The secure OS typically has higher privilege levels than the non-secure OS, which allow it, for example, to exclude the non-secure OS from accessing sensitive resources. The secure OS may be entirely different from the non-secure OS (e.g. a secure microkernel), or may be substantially the same as the nonsecure OS (e.g. a modified version of Android OS®). [69] The touch screen controller 144 is connected to the trusted user interface 116 by way of a serial peripheral interface (SPI) or inter-integrated circuit (i C) interface, serial interfaces known in the art for attaching integrated circuits (ICs) to processors and microcontrollers. The touch screen controller 144 is connected to the trusted user interface 116 and to the display controller 142 with a MIPI display serial interface (MIPI- DSI) or an embedded display port (eDP) connection, communication protocols and serial buses between host and device, as it would be recognized by someone skilled in the art. The projective capacitive touch panel 134 is superimposed on the LCD display 132. The secure element 152 is connected to the SoC application processor 114 by way of a SPI bus interface. The contactless front end 140 is connected to the SoC application processor 114 with an i C interface. In some embodiments, the touch screen controller 144 may be securely connected to the TUI 117, such that every transmission of data between touch screen controller 144 and TUI 117 is encrypted. In some embodiments, the secure element 152 is securely connected to the contactless front-end 154 and to the SoC application processor 114, such that every transmission of data between secure element 152, contactless front-end 152 and SoC application processor is encrypted. Such examples of devices and connections are only presented for an illustrative purpose, and other variations may be possible, as would be recognized by a person skilled in the art of the present technology. [70] Turning now to FIG. 2a, a non-limiting example of a correspondence table 200 is illustrated. In some embodiments, the correspondence table 200 may be an array. Each column of the correspondence table 200 may represent a position 202 on a keypad. Associated with each position 202 is a value 204. In some embodiments, a pseudorandom number generator (PRNG) may generate each value 204, such that each value has only one occurrence in the correspondence table 200, and each value is equally likely to appear in a given position. The correspondence table 200 may then be used to generate a scrambled keypad, such as scrambled keypad of FIG 2c. Other embodiments of the correspondence table may be possible, where values are replaced by letters or symbols, as it would be recognized by someone skilled in the art. In some embodiments, the correspondence table, once generated, may be sent to the secure element for subsequent reconstitution of a PIC. [71] Turning now to FIG. 2b, a non-limiting example of a graphical representation of a hot spots layout 240 is illustrated. The hot spots layout 240 corresponds to the geometry and the position of each key that may be pressed by a user on a touch screen. As a non- limiting example, the hot spots layout may define that the key 245, representing position 1 on the keypad, corresponds to every touch event whose coordinate lies within the rectangle defined by the coordinates 242 and 244. The hot spots layout 240 may be sent to a touch screen controller, and the touch screen controller may process a touch event according to the hot spots layout to output a keying event.
[72] Turning now to FIG. 2c, a non-limiting example of a visual representation of a scrambled keypad 280 is illustrated. The visual representation of a scrambled keypad 280 with values 285 may be generated by combining the information in a correspondence table 220 and a hot spots layout 240. In other embodiments, the scrambled keypad 280 may be generated by other types of correspondence tables and hot spots layouts. It is understood that the scrambled keypad 280 is only presented as an illustrative purpose, and other forms and arrangements of a scrambled keypad may be possible, as it would be recognized by someone skilled in the art. In some embodiments, the scrambled keypad 280 may be part of a PIC entry screen such as PIC entry screen of FIG. 3, and transmitted to be displayed on a display screen by a display controller.
[73] A scrambled keypad provides a certain level of security for PIC entry, as it makes the process of direct observation of the PIC by a malevolent person or software more bothersome. Even if a malevolent person or software has access to the touch event output or keying events, it is impossible to reconstitute the PIC without knowing the correspondence table of the scrambled keypad. A re-scrambling of the keypad after each touch event may add an additional level of security. [74] Turning now to FIG. 3, a non-limitative embodiment of a personal identification code (PIC) entry screen for conducting a secured transaction is illustrated. In an embodiment of the present technology, the PIC is a personal identification number (PIN). The PIN entry screen may be part of an application or software run by the CPU and/or the isolated secured area of the processor of the device. In other embodiments, the PIN entry screen may be part of but is not limited to a standalone application, an extension of another application, or may be called by a procedure call from another application when a secure PIN entry is needed. The PIN entry screen 300 may be displayed on a part of the screen or the whole screen, and may run parallel to another application appearing on a different part of the screen. In this embodiment, a logo 310 is displayed on the top of the PIN entry screen 300. A text prompting the user to enter her/his PIN 320 is displayed under the logo 310. Data entry field 330, with asterisks corresponding to keys pressed by the user on the touch screen is displayed under prompting text 320. A scrambled keypad 340 is displayed under data entry field 330, with correct, confirm and validate buttons 350. A security indicator 360 associated with the user is displayed on the bottom of the screen. The security indicator 360, comprises a secret shared between the user and a trusted entity, such as but not limited to a financial institution holding his account. The shared secret may be an image, a catchphrase or any other secret information recognized by the user, and is displayed so that the user may be confident that he is entering his PIC on a trusted application securely connected to a trusted server of his/her financial institution. The security indicator 360 may be a video stream where each single frame contains a part of the security indicator, such as a malevolent person or software may not be able to reproduce the security indicator from a single photograph or screenshot. In some embodiments, the scrambled keypad may be composed of different symbols and/or numbers and/or letters. In alternative embodiments, the security indicator may be visual and/or auditory and/or olfactory and/or tactile, provided that the device has the required technology to support such embodiments. This example is only for illustrative purposes, and many versions of a PIC entry screen may be defined, as would be appreciated by a person skilled in the art of the present technology. [75] FIG. 4 is a flowchart representation of a communication flow between an isolated secured area of the SoC application processor 404, a display controller 406, a touch screen controller 408 and a secure element 402 in accordance with an embodiment of the method and systems of the present technology. In other embodiments of the current technology, display controller 406 and touch screen controller 408 may be merged in a single component. In other embodiments, the role of the secure element may be played by a secure server in the cloud. In this embodiment, the isolated secured area of the SoC application processor 404 generates a correspondence table, an image of a scrambled keypad and coordinates to delimit each key in the scrambled keypad, also known as a hot spots layout in the art. The SoC application processor 404 transmits the scrambled keypad image to the display controller 406. The SoC application processor 404 transmits the hot spots layout to the touch screen controller 408. The SoC application processor 404 encrypts and transmits the correspondence table to the secure element 402.
[76] In other embodiments, a TUI controlled by the isolated secured area of the SoC application processor 404 may generate a correspondence table, a hot spots layout, a scrambled keypad image and transmit the scrambled keypad image to the display controller 406, the hot spots layout to the touch screen controller 408 and the correspondence table to the secure element 402. In alternative embodiments, the secure element 402 may generate a correspondence table, a hot spots layout, a scrambled keypad image and transmits the scrambled keypad image to the display controller 406 and the hot spots layout to the touch screen controller 408. The touch screen controller 408, having received the hot spots layout and thereby having knowledge of the location and dimensions of the keys defined by the isolated secured area of the processor 404, but not their value, may process the touch event inputs by a user with the hot spots layout to create one or more keying events and encrypt the resulting keying events. The touch screen controller 408 may send the encrypted keying events to the secure element 402. In some embodiments, the touch screen controller 408 is directly connected to the secure element 402. In other embodiments, the touch screen controller 408 may send encrypted keying events to the isolated secured area of the SoC application processor 404, and the isolated secured area 404 may then send the encrypted keying events to the secure element 408. Finally, the secure element 402 may decrypt the encrypted keying events and the encrypted correspondence table to reconstitute a PIC. In some embodiments, the secure element 402 is the only component able to decrypt the encrypted correspondence table and the encrypted keying events. In other embodiments, the secure element 402 is the only component being able to reconstitute a PIC from unencrypted versions of the correspondence table and the keying events. In alternative embodiments, the secure element 402 is the only component having access to an unencrypted version of the PIC. After reconstituting the PIC, the secure element 402 may encrypt the reconstituted PIC, and transmit the encrypted PIC to the isolated secured area 404. In some embodiments, after reconstituting the PIC, the PIC may be combined with other information, prior to encrypting the PIC together with the other information. For example, in the context of financial transactions, the PIN may be combined with a Personal Account Number (PAN) to form a PIN block, as specified by the ISO 9564 standard. After the encrypted PIC is transmitted to the isolated secure area, the isolated secure area may transmit the encrypted PIC, through the Internet or other networks, to the financial institution holding the user's account, possibly through the communications interfaces of the non-secure area of the processor, so that the transaction may be authorized. [77] Having described, with reference to FIG. 1 to FIG. 4, some non-limiting example instances of systems and computer-implemented methods used in connection with the problem of conducting a transaction using a PIC, we shall now describe general solutions to the problem with reference to FIG. 5.
[78] More specifically, FIG. 5 shows a flowchart illustrating a first computer- implemented method 500 for conducting a secured PIC entry on a device. In some embodiments, the secured PIC entry refers to a secured financial transaction using a mobile device. In some embodiments, the first computer-implemented method 500 may be (completely or partially) implemented on the mobile device 100.
[79] The method 500 starts with a step 502 with the generation of a correspondence table, a hot spots layout and scrambled keypad image, such as but not limited to correspondence table of FIG. 2a, the hot spots layout of FIG. 2b and the scrambled keypad image of FIG. 2c. In some embodiments, the correspondence table, the hot spots layout and the scrambled keypad image may be generated in the isolated secured area of the processor 115. In alternative embodiments the correspondence table, the hot spots layout and the scrambled keypad image may be generated in a secure element 152. In other embodiments, the correspondence table, the hot spots layout and the scrambled keypad image may be generated by an external secure module and securely transmitted to an isolated secured area of the processor 115. In some embodiments, the correspondence table, the hot spots layout and the scrambled keypad image may be generated by an external device or server, encrypted and sent by a communication network to the device. According to alternative embodiments of the present technology, one or more correspondence tables, hot spots layouts and scrambled keypad images may be generated at the same time. According to other embodiments, one or more correspondence tables, hot spots layouts and scrambled keypad images may be generated at different times.
[80] Generally, but non-limitatively, to generate a scrambled keypad, a correspondence table or array is first created, where the size of the array corresponds to the number of keys in the keypad. Each position in the array, from 0 to 9, has for value a random number, such that each number from 0 to 9 appears only once as a value in the array. A scrambled keypad image may then be generated from the correspondence array, where each key position has the corresponding value. A hot spots layout may also be generated, where the location and geometry of the operable keys are defined. In some embodiments, the geometry and the position of the hot spots layout may also be randomized and/or encoded and may be further encrypted. Different methods for generating the correspondence table, the hot spots layout and the scrambled keypad image may be possible, as it would be recognized by someone skilled in the art of the present technology.
[81] The scrambled keypad image may then be integrated in a PIC entry screen, such as the PIC entry screen from FIG. 3. A visual representation of a scrambled keypad may be generated in the form of an image. In another embodiment of the present technology, the scrambled keypad may be generated in the form of a video stream, where each single frame of the video stream contains a part of the keypad, and the rapid succession of frames make the video stream appear as a static image to the human eye. This may add a layer of security by making the process of capturing the scrambled keypad by means of photographing the device or screen capture more bothersome, as no single frame contains enough information to reconstruct the scrambled keypad and thereby gain knowledge of the correspondence table. [82] Next at step 504, the correspondence table of the scrambled keypad is transmitted to the secure element 152. In some embodiments, the correspondence may be encrypted before being transmitted to the secure element 152
[83] Next at a step 506, the scrambled keypad image is transmitted to a display controller 142. In some embodiments, a plurality of different PIC entry screens comprising different scrambled keypads may be transmitted to the display controller 142. In other embodiments, a TUI 117 may generate the correspondence table, the hot spots layout, the scrambled keypad image and transmit the scrambled keypad image to the display controller 142. In some embodiments, the PIC entry screen may comprise a security indicator. In other embodiments, the scrambled keypad image is transmitted from the secure element to the isolated secured area before being transmitted to the display controller 142. In alternative embodiments, the correspondence table, the hot spots layout and the scrambled keypad image may be generated in the secure element 115, with the secure element 115 directly connected to the display controller 142, and then transmitted to the display controller.
[84] At a step 508, the hot spots layout is transmitted to the touch screen controller. In some embodiments, the hot spots layout is generated in the isolated secured area of the processor and transmitted to the touch screen controller. In other embodiments, the hot spots layout is generated in the secure element, encrypted and transmitted to the touch screen controller.
[85] At a step 510, the display controller 142 causes to display the scrambled keypad image on the display screen 132. The scrambled keypad image may be displayed on any part of the display screen 132. In some embodiments, each key of the scrambled keypad image may be displayed on corresponding physical keys comprising embedded screens. In other embodiments, a security indicator may be displayed at the same time as the scrambled keypad.
[86] At a step 512, the touch screen controller 144 detects one or more touch event inputs on the touch screen 134 from a user. The touch event inputs may be input by a user with her/his fingers, with a stylus/pen, or with anything that may be sensed by the touch screen 134. As a non-limiting example, the touch screen 134 may use projected capacitive (p-cap) technology to sense an input, wherein capacitive sensors detect anything that is conductive or that has a dielectric constant different from air. The capacitive sensors comprise individual electrodes or electrode intersections that are repeatedly and iteratively scanned by a touch screen controller in order to detect changes in capacitance. A precise x-y touch coordinate with a corresponding state (e.g. touch or release) may be determined by interpolating values of capacitance from multiple adjacent electrodes or intersections. In some embodiments, the touch screen 134 may also comprise pressure sensors to detect different levels of pressure. In alternative embodiments, the keypad displayed on screen may be re-scrambled or changed to a different layout by the isolated secured area of the processor 115 after each touch event input, such that a different scrambled keypad appears after each touch input by the user. In an alternative embodiment, a mouse, a trackpad or a touch screen may be connected to the device, and the corresponding events may be processed a touch screen controller or an isolated secured area of the processor.
[87] At a step 514, a touch screen controller 144 generates one or more keying events based on the touch events inputs by the user at step 512. The touch screen controller first processes the analog touch event inputs by the user into digital touch event outputs. The generation of touch event ouputs based on touch event inputs by a user on a touch screen is well known in the art of the present technology. In some embodiments, a z touch coordinate may also be generated if the touch screen 134 comprises a pressure sensor. In alternative embodiments, the touch screen controller 144 may dismiss every gesture that is not a single touch input, such as but not limited to swiping gestures or multi-touch gestures. In some embodiments, multiple touch events outputs may correspond to a single keying event. The touch event output coordinates may be converted into keying events by comparing them with the hot spots layout, wherein a touch event may correspond to a position "2" on the scrambled key pad, because the touch event's output coordinate falls within the limits of the hot spot at position "2".
[88] At a step 516, the touch screen controller 144 encrypts the one or more keying events generated at the step 514. In some embodiments, the one or more keying events may be encrypted using asymmetric cryptography while in other embodiments symmetric cryptography may be used. In some embodiments block ciphers may be used while in other embodiments stream ciphers may be used. In still other embodiments, white -box cryptography may be used. If using asymmetric cryptography, the keying events may be encrypted using a public or a private cryptographic key. Some embodiments may employ the RSA algorithm while other embodiments may employ algorithms based on elliptic curves, the discrete logarithm problem, or other mathematical principles. If using symmetric cryptography, the key is secret and the encryption algorithm may be DES, TDES or AES, or other encryption methods known in the art. In some embodiments, the touch screen controller may encrypt the touch events according to encryption security standards of the financial industry. In some embodiments, the key used may be changed for each transaction, and unique to each device. More specifically, the key may be changed according to the ANSI X9.24 specifications and the Dynamic Unique Key Per Transaction (DUKPT) method. [89] At a step 518 the touch screen controller 144 transmits the encrypted keying events of the step 516. In some embodiments, the touch screen controller 144 transmits the encrypted keying events to the secure element 152. In other embodiments, the touch screen controller 144 may be directly connected to the secure element 152. In alternative embodiments, the touch screen controller may transmit the encrypted keying events to the isolated secured area of the processor 115, and the encrypted keying events may then be transmitted to the secure element 152 by the isolated secured area of the processor.
[90] Various other orderings of some of the steps in Fig. 5 are possible, as will be readily apparent to someone skilled in the art. For example, in some embodiments, step 504 may be executed after step 506 and/or step 508. In some embodiments, the steps 504 and 518 may be executed at the same time. In other embodiments, the step 504 may be executed after step 518.
[91] At a step 520, the secure element 152 decrypts the encrypted keying events. In some embodiments, the encrypted keying events may be decrypted using a private cryptographic key. In embodiments wherein the correspondence table of the scrambled keypad has been previously encrypted, it is decrypted before, after or at the same time as the encrypted touch events.
[92] At a step 522, the secure element 152 reconstitutes the PIC associated with the user based on the one or more keying events and the correspondence table of the scrambled keypad. In some embodiments, the PIC is reconstituted by executing a function which outputs the PIC by finding the values corresponding to the position of the keying events. By looking into the correspondence table, this function may determine that the keying event corresponding to "2" is associated with a value 5. The function may then determine that a keying event corresponds to a PIC entry of 5. This example is only provided as an illustrative example for reconstituting the PIC, and is one of the possible methods for determining corresponding keying events, as it may be recognized by a person skilled in the art of the present technology.
[93] In some embodiments, the reconstituted PIC is encrypted by the secure element. In some embodiments, the encrypted PIC is transmitted to the isolated secured area of the processor after being encrypted by the secure element. The encrypted PIC may then be sent via a communication network to a remote server to finalize the transaction. In alternative embodiments wherein the correspondence table has been previously encrypted, the encrypted correspondence table of the scrambled keypad and the encrypted keying events may be sent to a remote server before being decrypted and reconstituted to a PIC by the remote server. In alternative embodiments, the user may be prompted to supply an additional method of authentication, including but not limited to biometric data, a second PIC, or any other computer-readable information associated with the user.
[94] The present method and systems may be used in different non-limiting contexts. An exemplary use is during a financial transaction between a client and a merchant, where a mobile device such as a phone or tablet implements the method and system and may be used as a payment terminal by the merchant. The client may tap his card on the device to make a payment, with the card comprising a RFID or NFC chip, the device also comprising a RFID or NFC interface to communicate with the card. The device may present a PIC entry screen with a security indicator associated with the user, and prompt the user to enter his PIC to confirm the transaction. In some embodiments, the client may receive a confirmation of the transaction from the merchant and/or the financial institution holding a relevant account associated with the client.
[95] Another exemplary use is during a peer-to-peer transaction, where a first person possessing a payment card could transfer funds to a second person possessing a mobile device. The first person could tap his or her card on the second person's mobile device, with the card comprising a RFID or NFC chip, the device also comprising a RFID or NFC interface to communicate with the card. The second person may present the device with a PIC entry screen comprising a security indicator associated with the first person, and prompt the first person to enter his PIC to confirm the transaction. The payment could also be made the opposite way, where the fund is transferred from the second person's device to the first person's card, in which case the second person enters his own PIC on his own device.
[96] Another exemplary use is during a transaction between two persons, the two persons having NFC or RFID enabled devices. The two persons could exchange funds by approaching their devices together. Alternatively, the two persons could initiate and perform the transaction at a distance through a communications network. In either case, to confirm the transaction, at least one person may be prompted with a PIC confirmation screen to complete the transaction. [97] Notably, the features and examples above are not meant to limit the scope of the present disclosure to a single embodiment, as other embodiments are possible by way of interchange of some or all of the described or illustrated elements. Moreover, where certain elements of the present disclosure can be partially or fully implemented using known components, only those portions of such known components that are necessary for an understanding of the present disclosure are described, and detailed descriptions of other portions of such known components are omitted so as not to obscure the disclosure. In the present specification, an embodiment showing a singular component should not necessarily be limited to other embodiments including a plurality of the same component, and vice-versa, unless explicitly stated otherwise herein. Moreover, applicants do not intend for any term in the specification or claims to be ascribed an uncommon or special meaning unless explicitly set forth as such. Further, the present disclosure encompasses present and future known equivalents to the known components referred to herein by way of illustration. [98] The foregoing description of the specific embodiments so fully reveals the general nature of the disclosure that others can, by applying knowledge within the skill of the relevant art(s) (including the contents of the documents cited and incorporated by reference herein), readily modify and/or adapt for various applications such specific embodiments, without undue experimentation, and without departing from the general concept of the present disclosure. Such adaptations and modifications are therefore intended to be within the meaning and range of equivalents of the disclosed embodiments, based on the teaching and guidance presented herein. It is to be understood that the phraseology or terminology herein is for the purpose of description and not of limitation, such that the terminology or phraseology of the present specification is to be interpreted by the skilled artisan in light of the teachings and guidance presented herein, in combination with the knowledge of one skilled in the relevant art(s).
[99] While the above-described implementations have been described and shown with reference to particular steps performed in a particular order, it will be understood that these steps may be combined, sub-divided, or re-ordered without departing from the teachings of the present technology. The steps may be executed in parallel or in series. Accordingly, the order and grouping of the steps is not a limitation of the present technology.
[100] While various embodiments of the present disclosure have been described above, it should be understood that they have been presented by way of example, and not limitations. It would be apparent to one skilled in the relevant art(s) that various changes in form and detail could be made therein without departing from the spirit and scope of the disclosure. Thus, the present disclosure should not be limited by any of the above- described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.

Claims

What is claimed is:
A method for operating a device, the device comprising a processor, the processor comprising an isolated secured area, a display screen operatively connected to a display screen controller, the display screen controller operatively connected to the processor, a touch screen operatively connected to a touch screen controller, the touch screen controller operatively connected to the processor, a secure element associated with the processor, the method comprising: generating a correspondence table, a hot spots layout and a visual representation of a scrambled keypad; transmitting, to the secure element, the correspondence table; transmitting, to the display controller, the visual representation of the scrambled keypad; transmitting, to the touch screen controller, the hot spots layout; causing to display, by the display controller, the visual representation of the scrambled keypad on the display screen; detecting, by the touch screen controller, a touch event input from a user on the touchpad; generating, by the touch screen controller, a keying event based on the touch event input and the hot spots layout; encrypting, by the touch screen controller, the keying event; transmitting, to the secure element, the encrypted keying event; decrypting, by the secure element, the encrypted keying event; and reconstituting, by the secure element, a personal identification code (PIC) associated with the user based on the keying event and the correspondence table.
2. The method of claim 1, further comprising, prior to transmitting, to the secure element, the correspondence table, encrypting the correspondence table.
3. The method of claim 2, further comprising, after encrypting the correspondence table, decrypting, by the secure element, the correspondence table.
4. The method of any of claims 1 to 3, wherein an unencrypted version of the PIC remains inaccessible to any one of the processor, the display controller, the touch screen controller and the isolated secured area of the processor, at any given time.
5. The method of any of claims 1 to 4, wherein an unencrypted version of the PIC is solely accessible by the secure element.
6. The method of any of claims 1 to 5, wherein the isolated secured area only accesses an encrypted version of the PIC.
7. The method of any of claims 1 to 6, wherein the touch screen controller does not have access to the correspondence table nor to the visual representation of the scrambled keypad, at any given time.
8. The method of any of claims 1 to 7, wherein the secure element is securely connected to the processor.
9. The method of any of claims 1 to 8, wherein the isolated secured area of the processor comprises a trusted user interface.
10. The method of claim 9, wherein the touch screen controller is securely connected to the trusted user interface.
11. The method of any of claims 1 to 10, wherein the method further comprises re- scrambling at least a portion of the visual representation of the scrambled keypad by modifying the correspondence table after a keying event occurs.
12. The method of any of claims 1 to 11, wherein multiple correspondence tables, hot spots layouts and visual representations of scrambled keypads are generated before a touch event occurs.
13. The method of any of claims 1 to 12, wherein the visual representation of the scrambled keypad is at least one of an image and a video stream.
14. The method of any of claims 1 to 13, wherein the method further comprises causing to display, by the display controller, a security indicator previously associated with the user.
15. The method of claim 14, wherein the security indicator previously associated with the user is stored in the isolated secure area of the processor.
16. The method of any of claims 1 to 15, further comprising:
encrypting the reconstituted PIC by the secure element; and
transmitting the encrypted reconstituted PIC to the processor.
17. The method of any of claims 1 to 16, wherein the secure element is at least one of a hardware element operatively connected to the processor, a software component run by the processor, the isolated secured area and a portion of the isolated secured area.
18. The method of any of claims 1 to 17, wherein generating the correspondence table, the hot spots layout and the visual representation of the scrambled keypad is executed by one of the isolated secured area of the processor and the secure element.
19. The method of any of claims 1 to 18, wherein reconstituting the PIC associated with the user comprises mapping the keying event to a value using the correspondence table.
20. A method for operating a device, the device comprising a processor, the processor comprising an isolated secured area, the isolated secured area defining a secure element, a display screen operatively connected to a display screen controller, the display screen controller operatively connected to the processor, a touch screen operatively connected to a touch screen controller, the touch screen controller operatively connected to the processor, the method comprising: generating a correspondence table, a hot spots layout and a visual representation of a scrambled keypad; transmitting, to the secure element, the correspondence table; transmitting, to the display controller, the visual representation of the scrambled keypad; transmitting, to the touch screen controller, the hot spots layout; causing to display, by the display controller, the scrambled keypad on the display screen; detecting, by the touch screen controller, a touch event input from a user on the touchpad; generating, by the touch screen controller, a keying event based on the touch event input; encrypting, by the touch screen controller, the keying event; transmitting, to the secure element, the encrypted keying event; decrypting, by the secure element, the encrypted keying event; and reconstituting, by the secure element, a personal identification code (PIC) associated with the user based on the keying event and the correspondence table.
21. A computer- implemented system for authenticating a user, the system comprising: a processor;
an isolated secured area associated with the processor;
a non-transitory computer-readable medium operatively connected to the processor;
a display screen operatively connected to a display screen controller;
the display screen controller operatively connected to the processor;
a touch screen operatively connected to a touch screen controller;
the touch screen controller operatively connected to the processor;
a secure element associated with the processor;
the processor being configured to cause: generating a correspondence table, a hot spots layout and a visual representation of a scrambled keypad; transmitting, to the secure element, the correspondence table; transmitting, to the display controller, the visual representation of the scrambled keypad; transmitting, to the touch screen controller, the hot spots layout; causing to display, by the display controller, the scrambled keypad on the display screen; detecting, by the touch screen controller, a touch event input from the user on the touchpad; generating, by the touch screen controller, a keying event based on the touch event input; encrypting, by the touch screen controller, the keying event; transmitting, to the secure element, the encrypted keying event; decrypting, by the secure element, the encrypted keying event; and reconstituting, by the secure element, a personal identification code (PIC) associated with the user based on the keying event and the correspondence table.
22. The system of claim 21, wherein the processor comprises the isolated secured area.
23. The system of claim 21, wherein the isolated secured area is hosted on a second processor, different from the processor.
24. The system of any of claims 21 to 23, wherein the processor is further configured to cause: prior to transmitting, to the secure element, the correspondence table, encrypting the correspondence table.
25. The system of any of claims 21 to 23, wherein the processor is further configured to cause: after encrypting the correspondence table, decrypting, by the secure element, the correspondence table.
26. The system of any of claims 21 to 25, wherein an unencrypted version of the PIC remains inaccessible to any one of the processor, the display controller, the touch screen controller and the isolated secured area of the processor, at any given time.
27. The system of any of claims 21 to 26, wherein an unencrypted version of the PIC is solely accessible by the secure element.
28. The system of any of claims 21 to 27, wherein the isolated secured area only accesses an encrypted version of the PIC.
29. The system of any of claims 21 to 28, wherein the touch screen controller does not have access to the correspondence table nor to the visual representation of the scrambled keypad, at any given time.
30. The method of any of claims 21 to 29, wherein the secure element is securely connected to the processor.
31. The system of any of claims 21 to 30, wherein the isolated secured area of the processor comprises a trusted user interface.
32. The system of claim 31 , wherein the touch screen controller is securely connected to the trusted user interface.
33. The system of any of claims 21 to 32, wherein the processor is further configured to cause: re-scrambling at least a portion of the correspondence table and the visual representation of the scrambled keypad after a touch event occurs.
34. The system of any of claims 21 to 33, wherein multiple correspondence tables, hot spots layouts and visual representations of scrambled keypads are generated before a touch event occurs.
35. The system of any of claims 21 to 34, wherein the visual representation of the scrambled keypad is at least one of an image and a video stream.
36. The system of any of claims 21 to 35, wherein the processor is further configured to cause: causing to display, by the display controller, a security indicator previously associated with the user.
37. The system of claim 36, wherein the security indicator previously associated with the user is stored in the isolated secured area of the processor.
38. The system of any of claims 21 to 37, wherein the processor is further configured to cause:
encrypting the reconstituted PIC by the secure element; and
transmitting the encrypted reconstituted PIC to the processor.
39. The system of any of claims 21 to 38, wherein the secure element is at least one of a hardware element operatively connected to the processor, a software component run by the processor, the isolated secured area and a portion of the isolated secured area.
40. The system of any of claims 21 to 39, wherein generating the correspondence table, the hot spots layout and the visual representation of a scrambled keypad is executed by one of the isolated secured area of the processor and the secure element.
41. The system of any of claims 21 to 40, wherein reconstituting the PIC associated with the user comprises mapping the keying event to a value using the correspondence table.
EP16881348.3A 2015-12-28 2016-12-01 System for and method of authenticating a user on a device Revoked EP3381003B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PL16881348T PL3381003T3 (en) 2015-12-28 2016-12-01 System for and method of authenticating a user on a device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201562271428P 2015-12-28 2015-12-28
PCT/IB2016/057249 WO2017115174A1 (en) 2015-12-28 2016-12-01 System for and method of authenticating a user on a device

Publications (3)

Publication Number Publication Date
EP3381003A1 true EP3381003A1 (en) 2018-10-03
EP3381003A4 EP3381003A4 (en) 2018-10-31
EP3381003B1 EP3381003B1 (en) 2020-02-12

Family

ID=59225789

Family Applications (1)

Application Number Title Priority Date Filing Date
EP16881348.3A Revoked EP3381003B1 (en) 2015-12-28 2016-12-01 System for and method of authenticating a user on a device

Country Status (9)

Country Link
US (1) US20180374392A1 (en)
EP (1) EP3381003B1 (en)
KR (1) KR20180099811A (en)
CN (1) CN108475376A (en)
AU (1) AU2016380914B2 (en)
CA (1) CA3008571C (en)
ES (1) ES2790645T3 (en)
PL (1) PL3381003T3 (en)
WO (1) WO2017115174A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB201212878D0 (en) 2012-07-20 2012-09-05 Pike Justin Authentication method and system
GB201520741D0 (en) 2015-05-27 2016-01-06 Mypinpad Ltd And Licentia Group Ltd Authentication methods and systems
AU2017304128B2 (en) 2016-07-25 2022-03-10 Apple Inc. System for and method of authenticating a component of an electronic device
KR102514062B1 (en) * 2018-02-27 2023-03-24 삼성전자주식회사 Method for trustzone graphic rendering and display apparatus thereof
CN108614968B (en) * 2018-05-04 2020-11-24 飞天诚信科技股份有限公司 Method for safe interaction under general platform and intelligent terminal
US11106658B2 (en) 2018-11-28 2021-08-31 Snowflake Inc. Task scheduling in database systems
CN113383527B (en) * 2019-02-20 2023-08-22 华为技术有限公司 Method for authenticating terminal user on trusted device
US11645429B2 (en) * 2020-07-06 2023-05-09 Diebold Nixdorf, Incorporated Encrypting touch screen
CN113014539B (en) * 2020-11-23 2022-05-17 杭州安芯物联网安全技术有限公司 Internet of things equipment safety protection system and method
CN114417395B (en) * 2021-12-08 2022-08-19 慧之安信息技术股份有限公司 Operating system secure routing processing method and system

Family Cites Families (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2002351145A1 (en) * 2002-01-17 2003-07-30 Koninklijke Philips Electronics N.V. Secure data input dialogue using visual cryptography
JP4489003B2 (en) * 2005-10-27 2010-06-23 シャープ株式会社 Authentication apparatus and image forming apparatus
GB2459097B (en) * 2008-04-08 2012-03-28 Advanced Risc Mach Ltd A method and apparatus for processing and displaying secure and non-secure data
AU2010247014A1 (en) * 2009-05-15 2011-11-24 Setcom (Pty) Ltd Security system and method
CA2958140C (en) * 2010-08-12 2019-05-07 Mastercard International, Inc. Multi-commerce channel wallet for authenticated transactions
RU2597526C2 (en) 2011-07-20 2016-09-10 Виза Интернэшнл Сервис Ассосиэйшн Gateway communication with security ensuring
GB2500560A (en) * 2011-11-03 2013-10-02 Proxama Ltd Authorising transactions in a mobile device
US9860224B2 (en) * 2011-12-15 2018-01-02 Intel Corporation Systems and methods for secured entry of user authentication data
KR102158055B1 (en) 2012-02-29 2020-09-21 모비웨이브 시스템즈 유엘씨 Method, device and secure element for conducting a secured financial transaction on a device
US9344275B2 (en) * 2012-05-08 2016-05-17 Arm Technologies Israel Ltd. System, device, and method of secure entry and handling of passwords
CN103390124B (en) * 2012-05-08 2017-12-15 阿姆有限公司 Safety input and the equipment, system and method for processing password
GB201212878D0 (en) * 2012-07-20 2012-09-05 Pike Justin Authentication method and system
WO2014110126A1 (en) 2013-01-08 2014-07-17 Cirque Corporation Method for protecting cardholder data in a mobile device that performs secure payment transactions and which enables the mobile device to function as a secure payment terminal
AU2014222350B2 (en) * 2013-02-26 2016-12-08 Visa International Service Association Systems, methods and devices for performing passcode authentication
EP2775421B1 (en) * 2013-03-05 2019-07-03 Wincor Nixdorf International GmbH Trusted terminal platform
US20140366127A1 (en) * 2013-06-06 2014-12-11 International Business Machines Corporation Touchscreen security user input interface
AU2013403030A1 (en) 2013-10-16 2016-06-02 Cryptomathic Ltd. Trusted user interface and touchscreen
GB2519825B (en) 2013-10-29 2021-06-30 Cryptomathic Ltd Secure mobile user interface
US9529465B2 (en) 2013-12-02 2016-12-27 At&T Intellectual Property I, L.P. Secure interaction with input devices
CN104156642B (en) * 2014-07-22 2019-04-09 杭州晟元数据安全技术股份有限公司 A kind of security password input system and method based on safe touch screen control chip
FR3026207B1 (en) 2014-09-22 2018-08-17 Prove & Run SECURE DISPLAY TERMINAL
CN105956857A (en) 2016-05-06 2016-09-21 上海动联信息技术股份有限公司 System and method for generating security virtual password keyboard
CN106022172B (en) 2016-05-24 2020-03-13 中国银行股份有限公司 Password input method and system for protecting key input operation of password keyboard

Also Published As

Publication number Publication date
CN108475376A (en) 2018-08-31
US20180374392A1 (en) 2018-12-27
EP3381003B1 (en) 2020-02-12
AU2016380914B2 (en) 2021-01-07
CA3008571C (en) 2020-12-15
WO2017115174A1 (en) 2017-07-06
AU2016380914A1 (en) 2018-07-12
CA3008571A1 (en) 2017-07-06
EP3381003A4 (en) 2018-10-31
ES2790645T3 (en) 2020-10-28
PL3381003T3 (en) 2020-09-07
KR20180099811A (en) 2018-09-05

Similar Documents

Publication Publication Date Title
AU2016380914B2 (en) System for and method of authenticating a user on a device
EP3308312B1 (en) Secure biometric data capture, processing and management
CN111582859B (en) Method, electronic device and medium for conducting point-of-sale transactions
US20200167775A1 (en) Virtual pos terminal method and apparatus
CN105684009B (en) Using biometric authentication for NFC-based payments
EP3332372B1 (en) Apparatus and method for trusted execution environment based secure payment transactions
US9208354B2 (en) Techniques for securing use of one-time passwords
TWI605397B (en) Secure element and portable electronic device for financial transaction
US20160092877A1 (en) Secure user authentication interface technologies
US20150127550A1 (en) Using bioauthentication in near-field-communication transactions
KR20180027332A (en) Data verification via independent processors of a device
US9659178B1 (en) Device blanking
CN104156642A (en) Security password input system and method based on security touch screen control chip
US20160026990A1 (en) Point of sale system with secure and unsecure modes
US11200303B2 (en) Audio accessibility assistance
US9158943B2 (en) Encryption and decryption device for portable storage device and encryption and decryption method thereof
EP2953048A1 (en) Mobile device, method of authenticating a user and computer program

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20180627

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

A4 Supplementary search report drawn up and despatched

Effective date: 20180927

RIC1 Information provided on ipc code assigned before grant

Ipc: H04W 12/06 20090101ALI20180922BHEP

Ipc: G06Q 20/40 20120101AFI20180922BHEP

Ipc: G06F 21/36 20130101ALI20180922BHEP

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Ref document number: 602016029846

Country of ref document: DE

Free format text: PREVIOUS MAIN CLASS: G06Q0020400000

Ipc: G06F0021310000

RIC1 Information provided on ipc code assigned before grant

Ipc: H04W 12/06 20090101ALI20190731BHEP

Ipc: G06Q 20/40 20120101ALI20190731BHEP

Ipc: H04L 9/32 20060101ALI20190731BHEP

Ipc: G06F 21/36 20130101ALI20190731BHEP

Ipc: G06Q 20/32 20120101ALI20190731BHEP

Ipc: G07F 7/08 20060101ALI20190731BHEP

Ipc: G06F 21/31 20130101AFI20190731BHEP

Ipc: G07F 7/10 20060101ALI20190731BHEP

Ipc: G06F 21/83 20130101ALI20190731BHEP

Ipc: G09C 5/00 20060101ALI20190731BHEP

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20190918

RIN1 Information on inventor provided before grant (corrected)

Inventor name: ALIMI, VINCENT

Inventor name: OLLIVIER, JULIEN

Inventor name: FONTAINE, SEBASTIEN

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1233081

Country of ref document: AT

Kind code of ref document: T

Effective date: 20200215

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602016029846

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: SE

Ref legal event code: TRGR

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200512

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20200212

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200512

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200612

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200513

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

REG Reference to a national code

Ref country code: DE

Ref legal event code: R081

Ref document number: 602016029846

Country of ref document: DE

Owner name: MOBEEWAVE SYSTEMS ULC, CA

Free format text: FORMER OWNER: MOBEEWAVE INC., MONTREAL, QUEBEC, CA

Ref country code: ES

Ref legal event code: FG2A

Ref document number: 2790645

Country of ref document: ES

Kind code of ref document: T3

Effective date: 20201028

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200705

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

REG Reference to a national code

Ref country code: CH

Ref legal event code: PFA

Owner name: MOBEEWAVE SYSTEMS ULC, CA

Free format text: FORMER OWNER: MOBEEWAVE INC., CA

Ref country code: CH

Ref legal event code: NV

Representative=s name: BOVARD SA NEUCHATEL CONSEILS EN PROPRIETE INTE, CH

REG Reference to a national code

Ref country code: DE

Ref legal event code: R026

Ref document number: 602016029846

Country of ref document: DE

PLBI Opposition filed

Free format text: ORIGINAL CODE: 0009260

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1233081

Country of ref document: AT

Kind code of ref document: T

Effective date: 20200212

PLBI Opposition filed

Free format text: ORIGINAL CODE: 0009260

PLAX Notice of opposition and request to file observation + time limit sent

Free format text: ORIGINAL CODE: EPIDOSNOBS2

RAP2 Party data changed (patent owner data changed or rights of a patent transferred)

Owner name: MOBEEWAVE SYSTEMS ULC

26 Opposition filed

Opponent name: MYPINPAD LIMITED

Effective date: 20201111

26 Opposition filed

Opponent name: LICENTIA GROUP LIMITED

Effective date: 20201112

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: SE

Payment date: 20201211

Year of fee payment: 5

Ref country code: CH

Payment date: 20201215

Year of fee payment: 5

Ref country code: GB

Payment date: 20201118

Year of fee payment: 5

Ref country code: IE

Payment date: 20201209

Year of fee payment: 5

Ref country code: DE

Payment date: 20201118

Year of fee payment: 5

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

REG Reference to a national code

Ref country code: CH

Ref legal event code: NV

Representative=s name: AMMANN PATENTANWAELTE AG BERN, CH

RAP4 Party data changed (patent owner data changed or rights of a patent transferred)

Owner name: MOBEEWAVE SYSTEMS ULC

RDAF Communication despatched that patent is revoked

Free format text: ORIGINAL CODE: EPIDOSNREV1

REG Reference to a national code

Ref country code: DE

Ref legal event code: R103

Ref document number: 602016029846

Country of ref document: DE

Ref country code: DE

Ref legal event code: R064

Ref document number: 602016029846

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20201231

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20201231

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20201201

RDAG Patent revoked

Free format text: ORIGINAL CODE: 0009271

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: PATENT REVOKED

REG Reference to a national code

Ref country code: FI

Ref legal event code: MGE

27W Patent revoked

Effective date: 20210813

GBPR Gb: patent revoked under art. 102 of the ep convention designating the uk as contracting state

Effective date: 20210813

REG Reference to a national code

Ref country code: SE

Ref legal event code: ECNC

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20200212

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: ES

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20201202

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20201201